General

  • Target

    c705c9ec715f3e7e67a90f87281909b6

  • Size

    13.2MB

  • Sample

    240313-2hnlesdc84

  • MD5

    c705c9ec715f3e7e67a90f87281909b6

  • SHA1

    bdb24211212e355c61476c7a3797488d1f967227

  • SHA256

    da4c05e09818eb246b65e3e0c4b0974903e7a4696c188824c7aee45cf395f5ba

  • SHA512

    abddf8837c594f9a99e6134ffd309c8ed8a0c95bf44080426c72c324acb199a2154756a11529a1c9cc2eb7578592bedf7732fb4e236bd24d75bd2bece0c255a9

  • SSDEEP

    24576:berU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbn:bsW

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c705c9ec715f3e7e67a90f87281909b6

    • Size

      13.2MB

    • MD5

      c705c9ec715f3e7e67a90f87281909b6

    • SHA1

      bdb24211212e355c61476c7a3797488d1f967227

    • SHA256

      da4c05e09818eb246b65e3e0c4b0974903e7a4696c188824c7aee45cf395f5ba

    • SHA512

      abddf8837c594f9a99e6134ffd309c8ed8a0c95bf44080426c72c324acb199a2154756a11529a1c9cc2eb7578592bedf7732fb4e236bd24d75bd2bece0c255a9

    • SSDEEP

      24576:berU5sWbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbn:bsW

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks