General

  • Target

    c62fb746c84da78d62ae0fe412324106

  • Size

    10.3MB

  • Sample

    240313-sha6nagb21

  • MD5

    c62fb746c84da78d62ae0fe412324106

  • SHA1

    3aef29e7c4e0d0f43e168e1263a8a611f955b09d

  • SHA256

    03fdf5165dd65b4cc7640d577babaa94d6446cfcb4ae4d58f39c15b0756f555c

  • SHA512

    cc4a8da04b8d808a1c09cfca0aff105554774366244852c74887a71fa02befa884df743f71ab176d90fd1b8c40e596aa99dde7c8f6df4fce560ebacb57b35ee3

  • SSDEEP

    49152:EYyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyv:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c62fb746c84da78d62ae0fe412324106

    • Size

      10.3MB

    • MD5

      c62fb746c84da78d62ae0fe412324106

    • SHA1

      3aef29e7c4e0d0f43e168e1263a8a611f955b09d

    • SHA256

      03fdf5165dd65b4cc7640d577babaa94d6446cfcb4ae4d58f39c15b0756f555c

    • SHA512

      cc4a8da04b8d808a1c09cfca0aff105554774366244852c74887a71fa02befa884df743f71ab176d90fd1b8c40e596aa99dde7c8f6df4fce560ebacb57b35ee3

    • SSDEEP

      49152:EYyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyv:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks