General

  • Target

    e0486eb090e7cc7d3c9f1ae2d24e5ba2

  • Size

    14.8MB

  • Sample

    240327-aalcjsac4v

  • MD5

    e0486eb090e7cc7d3c9f1ae2d24e5ba2

  • SHA1

    43c862678f7ed195de31e0faadfe11e3a0f878af

  • SHA256

    78e9086c587e8bfb31d6c49fc134cbe889b528b94ba0c55f123f832232f942e9

  • SHA512

    8ddfb1e146386dc604b5da48d43eb645a35b337ddad074c28ec65903ff6c0d45b71715bbb150d4e135a266bb3229e2110d4c0a8695f3daaf58868a6540c1a8e8

  • SSDEEP

    6144:oY6i6T3uMsioaGshtZzlUZdobrRVODE2IjblgggggggggggggggggggggggggggH:wi6DuMsioaGshtZzSdobrCz6b

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      e0486eb090e7cc7d3c9f1ae2d24e5ba2

    • Size

      14.8MB

    • MD5

      e0486eb090e7cc7d3c9f1ae2d24e5ba2

    • SHA1

      43c862678f7ed195de31e0faadfe11e3a0f878af

    • SHA256

      78e9086c587e8bfb31d6c49fc134cbe889b528b94ba0c55f123f832232f942e9

    • SHA512

      8ddfb1e146386dc604b5da48d43eb645a35b337ddad074c28ec65903ff6c0d45b71715bbb150d4e135a266bb3229e2110d4c0a8695f3daaf58868a6540c1a8e8

    • SSDEEP

      6144:oY6i6T3uMsioaGshtZzlUZdobrRVODE2IjblgggggggggggggggggggggggggggH:wi6DuMsioaGshtZzSdobrCz6b

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks