General

  • Target

    e1a05d95531273c66fb3b520de465d17

  • Size

    12.7MB

  • Sample

    240327-n9fg8sbf59

  • MD5

    e1a05d95531273c66fb3b520de465d17

  • SHA1

    8d254a770b88f877e4935e93a880caaa839f6adf

  • SHA256

    074ed6a310e79810c61522ca461946df52434ab70bfb9a20678ada618a822acc

  • SHA512

    96d365d747046f9511d04a320bc5766af35519f3e37219111efb8f51d518b34654ab11a35606f636d55a599d06247b85d6b381fe171582eb38af7c866551c0f1

  • SSDEEP

    49152:wp42RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR5:w

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      e1a05d95531273c66fb3b520de465d17

    • Size

      12.7MB

    • MD5

      e1a05d95531273c66fb3b520de465d17

    • SHA1

      8d254a770b88f877e4935e93a880caaa839f6adf

    • SHA256

      074ed6a310e79810c61522ca461946df52434ab70bfb9a20678ada618a822acc

    • SHA512

      96d365d747046f9511d04a320bc5766af35519f3e37219111efb8f51d518b34654ab11a35606f636d55a599d06247b85d6b381fe171582eb38af7c866551c0f1

    • SSDEEP

      49152:wp42RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR5:w

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks