General

  • Target

    e164a0373adbd18f139bf9202f864706

  • Size

    10.0MB

  • Sample

    240327-ly3ghshf82

  • MD5

    e164a0373adbd18f139bf9202f864706

  • SHA1

    98051b6f6c334b9d5ff1d2219b0b2565f6d9d6bf

  • SHA256

    b715642c8c1a14c5aaa42e3cbbabb2d4b4773cf2674ef22ae60616694d7bd7a7

  • SHA512

    8241ff2ace67d70d03f02962f116dd44ffffd84f9aaa4e9cc14c866e313b4958762a41f861b544a33118a66f2b4290c6d3ec6664331cc047785e9976c3161f0c

  • SSDEEP

    24576:QjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBV:Qnh

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      e164a0373adbd18f139bf9202f864706

    • Size

      10.0MB

    • MD5

      e164a0373adbd18f139bf9202f864706

    • SHA1

      98051b6f6c334b9d5ff1d2219b0b2565f6d9d6bf

    • SHA256

      b715642c8c1a14c5aaa42e3cbbabb2d4b4773cf2674ef22ae60616694d7bd7a7

    • SHA512

      8241ff2ace67d70d03f02962f116dd44ffffd84f9aaa4e9cc14c866e313b4958762a41f861b544a33118a66f2b4290c6d3ec6664331cc047785e9976c3161f0c

    • SSDEEP

      24576:QjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBV:Qnh

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks