General

  • Target

    a8f02aefb5fbf492ffd9d91dbc22ec89.exe

  • Size

    13.2MB

  • Sample

    240107-x1rctadbg4

  • MD5

    a8f02aefb5fbf492ffd9d91dbc22ec89

  • SHA1

    70b328391827f0532e8f62ada5054d697a49721e

  • SHA256

    cb0fd5c81b4b85c72ad69a435a17478b21c9e78cfae44e8675564828a30a12fa

  • SHA512

    38d997ed68dd74060fcbe373c68c3a4094e49f460154100682cd7d922eb1cb6991adab989e039a36bac12445102cbce36a77b366f6eda5ea8fcd04263442f12f

  • SSDEEP

    24576:Rgdy5yNM4444444444444444444444444444444444444444444444444444444T:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      a8f02aefb5fbf492ffd9d91dbc22ec89.exe

    • Size

      13.2MB

    • MD5

      a8f02aefb5fbf492ffd9d91dbc22ec89

    • SHA1

      70b328391827f0532e8f62ada5054d697a49721e

    • SHA256

      cb0fd5c81b4b85c72ad69a435a17478b21c9e78cfae44e8675564828a30a12fa

    • SHA512

      38d997ed68dd74060fcbe373c68c3a4094e49f460154100682cd7d922eb1cb6991adab989e039a36bac12445102cbce36a77b366f6eda5ea8fcd04263442f12f

    • SSDEEP

      24576:Rgdy5yNM4444444444444444444444444444444444444444444444444444444T:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks