General

  • Target

    0c7824fd2d1717ce83f2c7a6522047c4

  • Size

    12.7MB

  • Sample

    231230-dlntlahbak

  • MD5

    0c7824fd2d1717ce83f2c7a6522047c4

  • SHA1

    4849c18f94170bd876a2b0653763c04ebe61cfc4

  • SHA256

    59b5b9da2fdcee0b843246228a6eace2de8e5f20a82e2ed7df64e78f657f8772

  • SHA512

    eae3dd61afae33e900953fb0bf4f1e994c4df8bf2c3d7ed3581a8e06801857373bc2cad25a518825c62b829eb61cc286169bf3cefc43f9b818ab937b24e7cf94

  • SSDEEP

    24576:FjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB5:Fnh

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      0c7824fd2d1717ce83f2c7a6522047c4

    • Size

      12.7MB

    • MD5

      0c7824fd2d1717ce83f2c7a6522047c4

    • SHA1

      4849c18f94170bd876a2b0653763c04ebe61cfc4

    • SHA256

      59b5b9da2fdcee0b843246228a6eace2de8e5f20a82e2ed7df64e78f657f8772

    • SHA512

      eae3dd61afae33e900953fb0bf4f1e994c4df8bf2c3d7ed3581a8e06801857373bc2cad25a518825c62b829eb61cc286169bf3cefc43f9b818ab937b24e7cf94

    • SSDEEP

      24576:FjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB5:Fnh

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks