General

  • Target

    db637cf684839367c227076758e5e310

  • Size

    11.5MB

  • Sample

    240321-mekm2aag9v

  • MD5

    db637cf684839367c227076758e5e310

  • SHA1

    e9f7a17b4ad1c94fa509953790e671ff2a7e1a23

  • SHA256

    6b14cc1206e4d4f5d4d7888c3a981b8dcfb6657a60c426644607fd8fb33f7e17

  • SHA512

    ff9d529cacac26df84bd4aacf7b1d271cad76dfc3a319ee8e5ead8203de36d2eef27502887a70d472d519f6937077d84c52b6618658ab5de0cb37f92787d1efb

  • SSDEEP

    24576:SUqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmn:SF15

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      db637cf684839367c227076758e5e310

    • Size

      11.5MB

    • MD5

      db637cf684839367c227076758e5e310

    • SHA1

      e9f7a17b4ad1c94fa509953790e671ff2a7e1a23

    • SHA256

      6b14cc1206e4d4f5d4d7888c3a981b8dcfb6657a60c426644607fd8fb33f7e17

    • SHA512

      ff9d529cacac26df84bd4aacf7b1d271cad76dfc3a319ee8e5ead8203de36d2eef27502887a70d472d519f6937077d84c52b6618658ab5de0cb37f92787d1efb

    • SSDEEP

      24576:SUqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmn:SF15

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks