General

  • Target

    dc0c5afd8d867eb234e304b80d4d8810

  • Size

    15.0MB

  • Sample

    240321-tlm53afb37

  • MD5

    dc0c5afd8d867eb234e304b80d4d8810

  • SHA1

    8ef9333585224f83181ea02b6bcdd266847cb59b

  • SHA256

    604dd730fb4922e4dc0dd186de057a1f64a6a3a1a49ec0323e09a8fe934ab519

  • SHA512

    1eef080d2b4da9df9a673a0ad9ecbcd3e50c7ba44933f077690c034d2f177f0c405721e85a119f64269605040358c7ff37acf8b2b294f46565db4fdafc7960b3

  • SSDEEP

    24576:igdy5yNM4444444444444444444444444444444444444444444444444444444L:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      dc0c5afd8d867eb234e304b80d4d8810

    • Size

      15.0MB

    • MD5

      dc0c5afd8d867eb234e304b80d4d8810

    • SHA1

      8ef9333585224f83181ea02b6bcdd266847cb59b

    • SHA256

      604dd730fb4922e4dc0dd186de057a1f64a6a3a1a49ec0323e09a8fe934ab519

    • SHA512

      1eef080d2b4da9df9a673a0ad9ecbcd3e50c7ba44933f077690c034d2f177f0c405721e85a119f64269605040358c7ff37acf8b2b294f46565db4fdafc7960b3

    • SSDEEP

      24576:igdy5yNM4444444444444444444444444444444444444444444444444444444L:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks