General

  • Target

    feb515efe8237480211f2fabe3976bdf.zip

  • Size

    182KB

  • Sample

    240831-j9kdzathpl

  • MD5

    dff05bf3c76d9b4df6ba722b6782532b

  • SHA1

    031e2479760a390a2a5f0b4a948449108ca87e26

  • SHA256

    2d55f2bdd5540ff7247f6b1c5a5e6dda743c5d764c3963c3a7e6d48c3f9aef2e

  • SHA512

    76994a21a6af85c637f8e7f68d7015d59970897afc1a9e267ccb47ce4fc62db6c77a59a8bb78f06961a0d4ed3028005ea134d967df59c592206b2592024b435d

  • SSDEEP

    3072:C+T9BS6LBWcnC7rjt4LD/zkuPLvrVRwdm0TppRwV9Q68He9UCMNIr3G+:C+ZjnooQuPLvrVmrE9T8nI7G+

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      2668ea58977d5457c1bcb28d04d1b55692fc7d6a64bfc3413a2cede20e838cf4

    • Size

      13.5MB

    • MD5

      feb515efe8237480211f2fabe3976bdf

    • SHA1

      d30c04512b4e2a34f1825b1fb8742be1d004cbc0

    • SHA256

      2668ea58977d5457c1bcb28d04d1b55692fc7d6a64bfc3413a2cede20e838cf4

    • SHA512

      a3eedc03386d4732ccd22bcaf04a4470bd711cbb3511390abe10394a4fbf5e1309adf549005816784a7e54ec1eb2f2bcdba1121bbe4bbd8460193fa3d70b9a8d

    • SSDEEP

      196608:r+TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTn:r

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks