Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    cbf5e424dc90b592d06e8f30f37c1e6b

  • Size

    13.2MB

  • Sample

    240315-vn9mhsdg5y

  • MD5

    cbf5e424dc90b592d06e8f30f37c1e6b

  • SHA1

    c036166895f21a873d666560bfd7e7fce142f260

  • SHA256

    2e3bb86704384f0a25c46a9b79a7f2ae0168709d3560d94f92acfd51bd6a7637

  • SHA512

    0fec8527110f2c75dc3cb6b61a97fe544596f1b1575a6ac025420fa9fdd651c3dc6c4db5dcc4e1bfb8b29d1bde34c3302f2801430a5140dc626edb4f7d0810d6

  • SSDEEP

    6144:1KTDS3aiZOTXbKdags2FNxWUWF5zoINm/nu:QMaiZOT+dags21Wts9vu

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      cbf5e424dc90b592d06e8f30f37c1e6b

    • Size

      13.2MB

    • MD5

      cbf5e424dc90b592d06e8f30f37c1e6b

    • SHA1

      c036166895f21a873d666560bfd7e7fce142f260

    • SHA256

      2e3bb86704384f0a25c46a9b79a7f2ae0168709d3560d94f92acfd51bd6a7637

    • SHA512

      0fec8527110f2c75dc3cb6b61a97fe544596f1b1575a6ac025420fa9fdd651c3dc6c4db5dcc4e1bfb8b29d1bde34c3302f2801430a5140dc626edb4f7d0810d6

    • SSDEEP

      6144:1KTDS3aiZOTXbKdags2FNxWUWF5zoINm/nu:QMaiZOT+dags21Wts9vu

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks