General

  • Target

    c32a916a37408b7d34d4b08fdccf4e0f

  • Size

    12.7MB

  • Sample

    240312-mtzqhafa6y

  • MD5

    c32a916a37408b7d34d4b08fdccf4e0f

  • SHA1

    4312ad3ec1ec200124d6e6a8781ca27c2b83150d

  • SHA256

    e32ea3931e46be8578bba766505e210447d6fbe83fac61098f0a10de4b6a6ba9

  • SHA512

    b14059d0f8ea5838bad20511b25c30bdaae8a423cce69c66cc6e2298241ccc6e68f706a58af36c05d87597f9205123816bc054501c6441cad3728b154a9232d6

  • SSDEEP

    24576:IlxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBL:IlzOR

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c32a916a37408b7d34d4b08fdccf4e0f

    • Size

      12.7MB

    • MD5

      c32a916a37408b7d34d4b08fdccf4e0f

    • SHA1

      4312ad3ec1ec200124d6e6a8781ca27c2b83150d

    • SHA256

      e32ea3931e46be8578bba766505e210447d6fbe83fac61098f0a10de4b6a6ba9

    • SHA512

      b14059d0f8ea5838bad20511b25c30bdaae8a423cce69c66cc6e2298241ccc6e68f706a58af36c05d87597f9205123816bc054501c6441cad3728b154a9232d6

    • SSDEEP

      24576:IlxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBL:IlzOR

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks