General

  • Target

    dc2a8e230e864fc3e8a9526cc1a9776e

  • Size

    12.8MB

  • Sample

    240321-vn1dvaee7s

  • MD5

    dc2a8e230e864fc3e8a9526cc1a9776e

  • SHA1

    eea3ff04f12b7d626f78558a4fd91960567c88f6

  • SHA256

    48485d0834ca169757ffe096c89f791f4a5335b00966c10180c70e0e95934894

  • SHA512

    847a57267057ee5eea3f97fa35b503fbc9488c377cb7f05f1d9028da8a4bd32b76a85cf21f33abbbe9ffd53c887d4adc474ac2ab368bfc781e0016e3f767db80

  • SSDEEP

    24576:0jDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBx:0nh

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      dc2a8e230e864fc3e8a9526cc1a9776e

    • Size

      12.8MB

    • MD5

      dc2a8e230e864fc3e8a9526cc1a9776e

    • SHA1

      eea3ff04f12b7d626f78558a4fd91960567c88f6

    • SHA256

      48485d0834ca169757ffe096c89f791f4a5335b00966c10180c70e0e95934894

    • SHA512

      847a57267057ee5eea3f97fa35b503fbc9488c377cb7f05f1d9028da8a4bd32b76a85cf21f33abbbe9ffd53c887d4adc474ac2ab368bfc781e0016e3f767db80

    • SSDEEP

      24576:0jDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBx:0nh

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks