General

  • Target

    e179cf7c48696574110f74f0d1343d0e

  • Size

    10.2MB

  • Sample

    240327-mswbpade41

  • MD5

    e179cf7c48696574110f74f0d1343d0e

  • SHA1

    a6be3a913c9000446aa2e4bb72bd8d4d82bedc24

  • SHA256

    91fe783738efad80d5cc28a8762971ffe03f9c3559bd5326b8132a1f96a0d278

  • SHA512

    ff23a058bb8d995f00f965eb6e8df3bdefb22bbfad08d4d2061e46c99bfc5b9c03f835b68fb44d081f2bb21b0d77fd0693e6eaa874860968447a171d12081245

  • SSDEEP

    24576:EUqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmW:EF15

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      e179cf7c48696574110f74f0d1343d0e

    • Size

      10.2MB

    • MD5

      e179cf7c48696574110f74f0d1343d0e

    • SHA1

      a6be3a913c9000446aa2e4bb72bd8d4d82bedc24

    • SHA256

      91fe783738efad80d5cc28a8762971ffe03f9c3559bd5326b8132a1f96a0d278

    • SHA512

      ff23a058bb8d995f00f965eb6e8df3bdefb22bbfad08d4d2061e46c99bfc5b9c03f835b68fb44d081f2bb21b0d77fd0693e6eaa874860968447a171d12081245

    • SSDEEP

      24576:EUqa71YB5DHlommmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmW:EF15

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks