General

  • Target

    db405bb000ed15c5e69718089693a8a1

  • Size

    12.5MB

  • Sample

    240321-k5qwmahe6v

  • MD5

    db405bb000ed15c5e69718089693a8a1

  • SHA1

    b7489cc718f81f57c4359cc48c4a0eec50284e6c

  • SHA256

    f1a759e3fde77a58cd64f5211644cd372ed1a7beb7096aa4f89373e73483bc0a

  • SHA512

    e76ce3ef162c2765956f9601854e2ca2e97745a41be1c21b8ed59ca135e5d5724890a04217f2c3b1a257fa508072aac635aacebfbb33c9516dc97d3e3ac58e29

  • SSDEEP

    24576:5lxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB/:5lzOR

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      db405bb000ed15c5e69718089693a8a1

    • Size

      12.5MB

    • MD5

      db405bb000ed15c5e69718089693a8a1

    • SHA1

      b7489cc718f81f57c4359cc48c4a0eec50284e6c

    • SHA256

      f1a759e3fde77a58cd64f5211644cd372ed1a7beb7096aa4f89373e73483bc0a

    • SHA512

      e76ce3ef162c2765956f9601854e2ca2e97745a41be1c21b8ed59ca135e5d5724890a04217f2c3b1a257fa508072aac635aacebfbb33c9516dc97d3e3ac58e29

    • SSDEEP

      24576:5lxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB/:5lzOR

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks