General

  • Target

    2f0b4b4819d48ff7ba4dbeb258a93189.zip

  • Size

    194KB

  • Sample

    240830-3baxessemp

  • MD5

    6c942be91793683230c1c87f054d6cec

  • SHA1

    fb01814b93471bc5b81b7aa3c46ef3559456afe3

  • SHA256

    e910c690fdd6944df35d0de3cbc5241ac2172dcf02d43b2ccc9f72470e7b37f0

  • SHA512

    32a51b702b9c866b7cf6b23705f0b8f0dba5c59f87474756364eeebe1e3c74e4e73d6deab6021b9b29e0e7688b9a96b13e17849052030e7af972d418a5c0eb51

  • SSDEEP

    6144:11LiKQOj2852S7KrkatIaUVBY9/QJHQP/qvi373T:f7N52SUk6IBu2AS0/

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      3a115fc118d5b0933c8550da6125b78d4956e27f671c00945d0ad04d5839dab4

    • Size

      10.9MB

    • MD5

      2f0b4b4819d48ff7ba4dbeb258a93189

    • SHA1

      98067909fa21b0bf107449206405ac8b13e5c776

    • SHA256

      3a115fc118d5b0933c8550da6125b78d4956e27f671c00945d0ad04d5839dab4

    • SHA512

      090e957459548ed42424f07cb387664bff76d0efcc5b36943339b909290696496738c0b4586f446df4f6c0f1aa4faccb6ad66aab404a8775e7146491b4cd16e1

    • SSDEEP

      6144:HLmhaXrxJHCx7HdqAT7mvs/bNAk3B79NmVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV1:HLmhaXrxJHuHdPT1n9N

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks