General

  • Target

    e1e76de4328d3b1cbaddd63648b68b89

  • Size

    12.4MB

  • Sample

    240327-rye9wahd2v

  • MD5

    e1e76de4328d3b1cbaddd63648b68b89

  • SHA1

    b45d7bfd9d0d21112ad8fd4a987e1a4aab664db8

  • SHA256

    5dfb6e38638229e915cc61d098ac5604c57e9951cb10427fc9af1cb3048dae46

  • SHA512

    bc3e711f37e0907a234526811f49660f9589076796324b234cee99f6d0b0520b3696e5e1c6a93ebf24a4a6b86422938d1f18373aa9b31f6cab4f4aaec498d741

  • SSDEEP

    393216:qmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmma:qmmmmmmmmmmmmmmmmmmmmmmmmmmmmmma

Malware Config

Extracted

Family

tofsee

C2

194.61.3.129

defeatwax.ru

Targets

    • Target

      e1e76de4328d3b1cbaddd63648b68b89

    • Size

      12.4MB

    • MD5

      e1e76de4328d3b1cbaddd63648b68b89

    • SHA1

      b45d7bfd9d0d21112ad8fd4a987e1a4aab664db8

    • SHA256

      5dfb6e38638229e915cc61d098ac5604c57e9951cb10427fc9af1cb3048dae46

    • SHA512

      bc3e711f37e0907a234526811f49660f9589076796324b234cee99f6d0b0520b3696e5e1c6a93ebf24a4a6b86422938d1f18373aa9b31f6cab4f4aaec498d741

    • SSDEEP

      393216:qmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmma:qmmmmmmmmmmmmmmmmmmmmmmmmmmmmmma

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks