General

  • Target

    dc3603b82053e8dd34d9a32f210e5423

  • Size

    11.1MB

  • Sample

    240321-v3728sfb2v

  • MD5

    dc3603b82053e8dd34d9a32f210e5423

  • SHA1

    f6bfaf3eda8bb6c331f41e63ee18883f3aadcae5

  • SHA256

    9b1f1e709bac06ce02b6a92abe67e57ff5d9f9933e8bea992f2a8ebc6864d1d8

  • SHA512

    fac338014f8af9cf4429c1512702c9c19fa9c14f04f864727a50025c20649fd14cb51789ffcee5a648b437b43b3253b2e3b8bc54a02430cad6224be97098f007

  • SSDEEP

    24576:HjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBz:Hnh

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      dc3603b82053e8dd34d9a32f210e5423

    • Size

      11.1MB

    • MD5

      dc3603b82053e8dd34d9a32f210e5423

    • SHA1

      f6bfaf3eda8bb6c331f41e63ee18883f3aadcae5

    • SHA256

      9b1f1e709bac06ce02b6a92abe67e57ff5d9f9933e8bea992f2a8ebc6864d1d8

    • SHA512

      fac338014f8af9cf4429c1512702c9c19fa9c14f04f864727a50025c20649fd14cb51789ffcee5a648b437b43b3253b2e3b8bc54a02430cad6224be97098f007

    • SSDEEP

      24576:HjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBz:Hnh

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks