General
-
Target
ae94bcdff4c4db9cd6aaa662d87f6b3bc9b1de7a786156307c42aad4f4d72334
-
Size
10.6MB
-
Sample
240510-ev4f3sdg48
-
MD5
48d331a22042af3c46f4a5c5852fd973
-
SHA1
144c9fbab74bfa069d42f895d84cd0573d5e5582
-
SHA256
ae94bcdff4c4db9cd6aaa662d87f6b3bc9b1de7a786156307c42aad4f4d72334
-
SHA512
64d36047c7e0d92054eac6b44eae05ada08e7fb5febbb5a2ae6b7a07ebdc9bd31ebd0391b490957362d1c3727986591bdcb0598111967c4b94e1b895f8b71026
-
SSDEEP
6144:CKNDMp7tMWhHwXO3kyvzC0+9XFWYW///////////////////////////////////:CKNDMpOmHKcRv+0u
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
ae94bcdff4c4db9cd6aaa662d87f6b3bc9b1de7a786156307c42aad4f4d72334
-
Size
10.6MB
-
MD5
48d331a22042af3c46f4a5c5852fd973
-
SHA1
144c9fbab74bfa069d42f895d84cd0573d5e5582
-
SHA256
ae94bcdff4c4db9cd6aaa662d87f6b3bc9b1de7a786156307c42aad4f4d72334
-
SHA512
64d36047c7e0d92054eac6b44eae05ada08e7fb5febbb5a2ae6b7a07ebdc9bd31ebd0391b490957362d1c3727986591bdcb0598111967c4b94e1b895f8b71026
-
SSDEEP
6144:CKNDMp7tMWhHwXO3kyvzC0+9XFWYW///////////////////////////////////:CKNDMpOmHKcRv+0u
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2