General

  • Target

    dc169da70e167b89d6cc91eff916834e

  • Size

    12.0MB

  • Sample

    240321-tzljdshb6x

  • MD5

    dc169da70e167b89d6cc91eff916834e

  • SHA1

    a8a8944bead56310763f7c5dc4cf14c448c1d28d

  • SHA256

    2f1c70048751c81d77d185abdbb695239373fa66b3d4e31c5bcfc0687b6b9944

  • SHA512

    2525b2d38d50d2b1d611cbbf50fa27ff3518809546c490baabef2ec37b29055004dce9abb98a03a717ea2757485f53fc2be7f0638756403cc73922c9479480bb

  • SSDEEP

    393216:8mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmi:8mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmi

Malware Config

Extracted

Family

tofsee

C2

194.61.3.129

defeatwax.ru

Targets

    • Target

      dc169da70e167b89d6cc91eff916834e

    • Size

      12.0MB

    • MD5

      dc169da70e167b89d6cc91eff916834e

    • SHA1

      a8a8944bead56310763f7c5dc4cf14c448c1d28d

    • SHA256

      2f1c70048751c81d77d185abdbb695239373fa66b3d4e31c5bcfc0687b6b9944

    • SHA512

      2525b2d38d50d2b1d611cbbf50fa27ff3518809546c490baabef2ec37b29055004dce9abb98a03a717ea2757485f53fc2be7f0638756403cc73922c9479480bb

    • SSDEEP

      393216:8mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmi:8mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmi

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks