General

  • Target

    c457abcb7f14cd3033a741382dd750da

  • Size

    11.9MB

  • Sample

    240312-25z8qsfe47

  • MD5

    c457abcb7f14cd3033a741382dd750da

  • SHA1

    4079f54d9a97ff9953810c5d4a1aa05debb19159

  • SHA256

    1993bc101701b81d7754cc246f8b09adc4478d51444a95b9abba6001350d2dcf

  • SHA512

    613454d23d0e8b717fced50f35ca529b65cae41f7189a43571206cbd299cc917f2ac86ce5a2b34900348a51d61facf9d3e41908a01b4a6b6bb6e53895349a4ca

  • SSDEEP

    6144:P0+ogoEtmYSAekxvC0J6xPFNAgbx/ektPses9zWTPGtYtYtYtYtYtYtYtYtYtYtf:Bogo0Pekxvs1F2S/TtmpWr

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c457abcb7f14cd3033a741382dd750da

    • Size

      11.9MB

    • MD5

      c457abcb7f14cd3033a741382dd750da

    • SHA1

      4079f54d9a97ff9953810c5d4a1aa05debb19159

    • SHA256

      1993bc101701b81d7754cc246f8b09adc4478d51444a95b9abba6001350d2dcf

    • SHA512

      613454d23d0e8b717fced50f35ca529b65cae41f7189a43571206cbd299cc917f2ac86ce5a2b34900348a51d61facf9d3e41908a01b4a6b6bb6e53895349a4ca

    • SSDEEP

      6144:P0+ogoEtmYSAekxvC0J6xPFNAgbx/ektPses9zWTPGtYtYtYtYtYtYtYtYtYtYtf:Bogo0Pekxvs1F2S/TtmpWr

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks