General

  • Target

    ddce523df0419ec9b5d3c38679be4484

  • Size

    11.7MB

  • Sample

    240325-mnz43sgc8y

  • MD5

    ddce523df0419ec9b5d3c38679be4484

  • SHA1

    e3c7b6d79aae548165485512337f5ff6cf7d727f

  • SHA256

    a34db517799a1b3b6349eecf67f001136262399d619948f2535fd794b6171b1d

  • SHA512

    101b137c34b06950de362cc62dc25ef207898a9ee3e8c1bb4a90f1497d3c27bc3a9bb5a4c1c6d5c9ce649fa78ca97647526a5d818a8fe5f48bcc6b5bc20c3faa

  • SSDEEP

    196608:svvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      ddce523df0419ec9b5d3c38679be4484

    • Size

      11.7MB

    • MD5

      ddce523df0419ec9b5d3c38679be4484

    • SHA1

      e3c7b6d79aae548165485512337f5ff6cf7d727f

    • SHA256

      a34db517799a1b3b6349eecf67f001136262399d619948f2535fd794b6171b1d

    • SHA512

      101b137c34b06950de362cc62dc25ef207898a9ee3e8c1bb4a90f1497d3c27bc3a9bb5a4c1c6d5c9ce649fa78ca97647526a5d818a8fe5f48bcc6b5bc20c3faa

    • SSDEEP

      196608:svvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks