General

  • Target

    cc35570f8a6ca5eaa3b157d5129cf642

  • Size

    12.0MB

  • Sample

    240315-xyjj7agf91

  • MD5

    cc35570f8a6ca5eaa3b157d5129cf642

  • SHA1

    183c1a4dd86f9e96aba6020770de442ba1cab90f

  • SHA256

    961f5faa6835275d729394a3136e2a932540297fa9ccf7ced9f0bec24b191f39

  • SHA512

    638b4c36533d05b96b19f046899fcdc471efc58cd0893def3daa3d83d5c219fb8de67fd436cba3e22586b70a70e35ef7241cb042175c6f9555be52f2112bce58

  • SSDEEP

    24576:9lxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBD:9lzOR

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      cc35570f8a6ca5eaa3b157d5129cf642

    • Size

      12.0MB

    • MD5

      cc35570f8a6ca5eaa3b157d5129cf642

    • SHA1

      183c1a4dd86f9e96aba6020770de442ba1cab90f

    • SHA256

      961f5faa6835275d729394a3136e2a932540297fa9ccf7ced9f0bec24b191f39

    • SHA512

      638b4c36533d05b96b19f046899fcdc471efc58cd0893def3daa3d83d5c219fb8de67fd436cba3e22586b70a70e35ef7241cb042175c6f9555be52f2112bce58

    • SSDEEP

      24576:9lxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBD:9lzOR

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks