General

  • Target

    764f182af0c6ddc192250baa4a4464a0

  • Size

    10.3MB

  • Sample

    240126-edkyeaegbm

  • MD5

    764f182af0c6ddc192250baa4a4464a0

  • SHA1

    29168a577f423556cad9315ca0095764015182ad

  • SHA256

    6080de44c1cef6654c06340ef242d9b7526563205b3c3d48ee761b2c88191e15

  • SHA512

    bdd6adbb881a3a305cc0fd56e3d7bb96d1798c4ac8f72684058cff1d2e64e1ff7693a4e9c417cbbe870d96ea2d9a2e4d67ad000d7a3b2aca3c855d01c7fd4197

  • SSDEEP

    98304:Db+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++S:D

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      764f182af0c6ddc192250baa4a4464a0

    • Size

      10.3MB

    • MD5

      764f182af0c6ddc192250baa4a4464a0

    • SHA1

      29168a577f423556cad9315ca0095764015182ad

    • SHA256

      6080de44c1cef6654c06340ef242d9b7526563205b3c3d48ee761b2c88191e15

    • SHA512

      bdd6adbb881a3a305cc0fd56e3d7bb96d1798c4ac8f72684058cff1d2e64e1ff7693a4e9c417cbbe870d96ea2d9a2e4d67ad000d7a3b2aca3c855d01c7fd4197

    • SSDEEP

      98304:Db+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++S:D

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks