General

  • Target

    c4099f99c04f9e88f181190169fdb309

  • Size

    11.6MB

  • Sample

    240312-wzfdgsfg9z

  • MD5

    c4099f99c04f9e88f181190169fdb309

  • SHA1

    85e8041ceb0bc39621fe7bd8e8d91619efb9f212

  • SHA256

    502aaed9824aec327086ffe455216fe7808842246acfb137e2102745f67d21cf

  • SHA512

    ead66b222866a6318fbbc8b6bd029d4db99a1670eee46952cc43c1138a4366500cc557153ea62c913af0032fd112e2c95dcdf14bb28860b7176ddb005d120729

  • SSDEEP

    12288:VIIW7A7qL8SHSIiwN/iZBqAsArTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTP:6A7qLNNf

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c4099f99c04f9e88f181190169fdb309

    • Size

      11.6MB

    • MD5

      c4099f99c04f9e88f181190169fdb309

    • SHA1

      85e8041ceb0bc39621fe7bd8e8d91619efb9f212

    • SHA256

      502aaed9824aec327086ffe455216fe7808842246acfb137e2102745f67d21cf

    • SHA512

      ead66b222866a6318fbbc8b6bd029d4db99a1670eee46952cc43c1138a4366500cc557153ea62c913af0032fd112e2c95dcdf14bb28860b7176ddb005d120729

    • SSDEEP

      12288:VIIW7A7qL8SHSIiwN/iZBqAsArTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTP:6A7qLNNf

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks