General

  • Target

    c4825f863ad2dffbb38a23feafcec85f

  • Size

    14.0MB

  • Sample

    240313-atwmmahc69

  • MD5

    c4825f863ad2dffbb38a23feafcec85f

  • SHA1

    cbeec003f95eec96cb00c530c016d6ba06b52205

  • SHA256

    6f7e9723bb0c479da06f3412c040da4b4507e54e84ad9cc63162a6b09347a6c6

  • SHA512

    c1a2b256473fcd82ed6303051508c9fa25f7e755e29107cbd878284d4bbfc25a4215945ffa0934c130717adc41f3ba4ba4cd9fdc4f64c45d59654c116e79d0ec

  • SSDEEP

    24576:QjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBR:Qnh

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c4825f863ad2dffbb38a23feafcec85f

    • Size

      14.0MB

    • MD5

      c4825f863ad2dffbb38a23feafcec85f

    • SHA1

      cbeec003f95eec96cb00c530c016d6ba06b52205

    • SHA256

      6f7e9723bb0c479da06f3412c040da4b4507e54e84ad9cc63162a6b09347a6c6

    • SHA512

      c1a2b256473fcd82ed6303051508c9fa25f7e755e29107cbd878284d4bbfc25a4215945ffa0934c130717adc41f3ba4ba4cd9fdc4f64c45d59654c116e79d0ec

    • SSDEEP

      24576:QjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBR:Qnh

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks