General

  • Target

    e2028f8f79c3ed4be9c7321be6ce2bcd

  • Size

    12.5MB

  • Sample

    240327-szh8laad6w

  • MD5

    e2028f8f79c3ed4be9c7321be6ce2bcd

  • SHA1

    5c07f342303d8e11e6b96b9e9cf851b733f04087

  • SHA256

    625775adf5d604e2db9ceed49c65742badebe1de069ecacf18926da7829aae10

  • SHA512

    565fb1448846d518f9fc24657ff79b9d989b2c2c95a680bfcc4eeb1268935cf08b810e5af131a98231d7ce3c9144c33feced2b389f27a1e72f6a8cd6529c0329

  • SSDEEP

    24576:3m11111111111111111111111111111111111111111111111111111111111113:

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      e2028f8f79c3ed4be9c7321be6ce2bcd

    • Size

      12.5MB

    • MD5

      e2028f8f79c3ed4be9c7321be6ce2bcd

    • SHA1

      5c07f342303d8e11e6b96b9e9cf851b733f04087

    • SHA256

      625775adf5d604e2db9ceed49c65742badebe1de069ecacf18926da7829aae10

    • SHA512

      565fb1448846d518f9fc24657ff79b9d989b2c2c95a680bfcc4eeb1268935cf08b810e5af131a98231d7ce3c9144c33feced2b389f27a1e72f6a8cd6529c0329

    • SSDEEP

      24576:3m11111111111111111111111111111111111111111111111111111111111113:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks