General

  • Target

    4fece95c5138be47dc60bef4279def37.zip

  • Size

    177KB

  • Sample

    240831-a5w3jawelk

  • MD5

    c01ca859a8ba4b5b43713f206c06036d

  • SHA1

    c58bdf8ebecf2ca453dbac1363b06919030f7976

  • SHA256

    20d18575cd105fb4081c0de2bb959303a7d18e8e1afee5dfd33728fdd223c23b

  • SHA512

    064440faa196fbcbc2407d0459539fafc3cdccbf06cb6a84dfb53141b496fad2539a48670d99a97aae6960193810b02b20b28423fbcef8766ae1e7fd19b1226d

  • SSDEEP

    3072:NOrhEGkefWdg2KHtU9+6EdFzMBeJLd+5SJzEWVO5Zx/q9qWxSD5op8:gGGkrg2KNUYTMBcZGizEWV2HqMWxu2a

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f4debee839654168bc951377f49cb7f3af9cc125168975e3ea1a111f92efb705

    • Size

      11.8MB

    • MD5

      4fece95c5138be47dc60bef4279def37

    • SHA1

      1a8feffb0571f72236b16aeffd5223d0ed2400c4

    • SHA256

      f4debee839654168bc951377f49cb7f3af9cc125168975e3ea1a111f92efb705

    • SHA512

      a4c40a3d0963d7ce1d2b15f67e382964fb26a4f52509f770f7f7f6ceeedaa34050f3a13734f70f5f6eb03beb0b03cbc673ab9d7835855bdbf2f9de970feb81d6

    • SSDEEP

      196608:p4TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTn:p

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks