Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    bc9734c2cc8f0ce729606a1094139e5e

  • Size

    11.7MB

  • Sample

    240309-xypq7sfh88

  • MD5

    bc9734c2cc8f0ce729606a1094139e5e

  • SHA1

    9ba350559fdc66ad89cfaa88374dddcefd49ea37

  • SHA256

    dc9b51704541b43494bab704763d5f593a560cd758fd8d1aba1817a9a4ebd6b5

  • SHA512

    ed704ce7597efd3cb4e1ebb7acb3dacbc53f4f0819cf800ead36a07c7044d01115994303b467330ccd7c9a07bd40f46279ccb05abc528508bb41a86187885040

  • SSDEEP

    24576:ajCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeO:a/D

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      bc9734c2cc8f0ce729606a1094139e5e

    • Size

      11.7MB

    • MD5

      bc9734c2cc8f0ce729606a1094139e5e

    • SHA1

      9ba350559fdc66ad89cfaa88374dddcefd49ea37

    • SHA256

      dc9b51704541b43494bab704763d5f593a560cd758fd8d1aba1817a9a4ebd6b5

    • SHA512

      ed704ce7597efd3cb4e1ebb7acb3dacbc53f4f0819cf800ead36a07c7044d01115994303b467330ccd7c9a07bd40f46279ccb05abc528508bb41a86187885040

    • SSDEEP

      24576:ajCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeO:a/D

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks