General

  • Target

    c30a4dc2e1c069f7de3a69a6af3d2b3b

  • Size

    14.6MB

  • Sample

    240312-lmmlxsff43

  • MD5

    c30a4dc2e1c069f7de3a69a6af3d2b3b

  • SHA1

    e2a9f905d18a23b71ca4b5d0524b3c5bab24187a

  • SHA256

    5a7604d930d2be45306e7d195de40ad715e8232b9fb079ddbcd7a6a09c545dcb

  • SHA512

    945f8e6bdfe1288a89d569d9205e4bb774210642c984cc8913c79a1b2cdf7af48046c4f026a9196fe9ec6d1c4c6d46c382b707f40784602de75b6657fbb85e09

  • SSDEEP

    24576:xjCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:x/D

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c30a4dc2e1c069f7de3a69a6af3d2b3b

    • Size

      14.6MB

    • MD5

      c30a4dc2e1c069f7de3a69a6af3d2b3b

    • SHA1

      e2a9f905d18a23b71ca4b5d0524b3c5bab24187a

    • SHA256

      5a7604d930d2be45306e7d195de40ad715e8232b9fb079ddbcd7a6a09c545dcb

    • SHA512

      945f8e6bdfe1288a89d569d9205e4bb774210642c984cc8913c79a1b2cdf7af48046c4f026a9196fe9ec6d1c4c6d46c382b707f40784602de75b6657fbb85e09

    • SSDEEP

      24576:xjCj10HSqGgeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:x/D

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks