General

  • Target

    c5c334bb8a2f92d6727d23a17f3ea804

  • Size

    14.3MB

  • Sample

    240313-nl22bsbh3x

  • MD5

    c5c334bb8a2f92d6727d23a17f3ea804

  • SHA1

    2ae2aec5b35aebc0561e07829d5729969c65203a

  • SHA256

    bf7749f56fb2a0f6948dbe2681425d0348564b3638ae3a7f8dacf8142f61b704

  • SHA512

    8d7093873881dc5c566f19a32380de12aafcc40726131b195ab0a6ed5cea8eb9024aa521b27e14aca033769db2dc7f0001655da60400e93d9178774c70f779fd

  • SSDEEP

    24576:2cmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmv:2

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c5c334bb8a2f92d6727d23a17f3ea804

    • Size

      14.3MB

    • MD5

      c5c334bb8a2f92d6727d23a17f3ea804

    • SHA1

      2ae2aec5b35aebc0561e07829d5729969c65203a

    • SHA256

      bf7749f56fb2a0f6948dbe2681425d0348564b3638ae3a7f8dacf8142f61b704

    • SHA512

      8d7093873881dc5c566f19a32380de12aafcc40726131b195ab0a6ed5cea8eb9024aa521b27e14aca033769db2dc7f0001655da60400e93d9178774c70f779fd

    • SSDEEP

      24576:2cmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmxmv:2

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks