General

  • Target

    c63b5e6305535cdaaaeb11889ddfb097

  • Size

    11.4MB

  • Sample

    240313-szjjcsae55

  • MD5

    c63b5e6305535cdaaaeb11889ddfb097

  • SHA1

    5e8ab02cda98483da63957375524d8a2f5e97913

  • SHA256

    00e343ddfcac2d81f4ff3884a99714dd96649323f474a35b531bf0d83da8d50b

  • SHA512

    47e0f03ed21cb81a59ad45c806efe43b8b8f2da34fb752c53f1c8c5c0078c1249f1a70178a6b124f9c582e4d8faaad0d02830b0963ff915a24c46f37991048d6

  • SSDEEP

    6144:rlfbtogINHXE+nlLO0pCxPPTObjpF8tAWsOtstststststststststststststsx:pbto10+nlLA9PybjpF8GWs

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      c63b5e6305535cdaaaeb11889ddfb097

    • Size

      11.4MB

    • MD5

      c63b5e6305535cdaaaeb11889ddfb097

    • SHA1

      5e8ab02cda98483da63957375524d8a2f5e97913

    • SHA256

      00e343ddfcac2d81f4ff3884a99714dd96649323f474a35b531bf0d83da8d50b

    • SHA512

      47e0f03ed21cb81a59ad45c806efe43b8b8f2da34fb752c53f1c8c5c0078c1249f1a70178a6b124f9c582e4d8faaad0d02830b0963ff915a24c46f37991048d6

    • SSDEEP

      6144:rlfbtogINHXE+nlLO0pCxPPTObjpF8tAWsOtstststststststststststststsx:pbto10+nlLA9PybjpF8GWs

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks