General

  • Target

    26dc30509b939d95f3e7ff81bd9c02cd.zip

  • Size

    168KB

  • Sample

    240831-k645msweln

  • MD5

    86f903053de73ffdcdb1766df78687b7

  • SHA1

    1c8b1d3453239eab73d07f613ea33ffb56ac1194

  • SHA256

    1a7fa17efcbbce7d07288cf31753af7b8ba2f3dc911a30015f9f8fc53c392285

  • SHA512

    3d2e0e27399b6f070cbd60906612bc31f5e0ebc9ee73448810d547f773c3c65b16bf36125387a65655cd79fd6e6cfd64d6428db3c236f121a427201f8eec8b4d

  • SSDEEP

    3072:ipPfv6X32gDKrj6SpC9UemmJIsrrg3epetqbKE+xxBelU5Drmm2iE1C7j3iZb3g:WXJgDsj69UeFI/UejxDTuiEwuh3g

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      bc08635f68d183add0e1c746f47d07815a903aac07c3334131cfc808f85b8bd9

    • Size

      13.1MB

    • MD5

      26dc30509b939d95f3e7ff81bd9c02cd

    • SHA1

      95503eafd7e3bbe829ba4f9cff6863c620e1ac27

    • SHA256

      bc08635f68d183add0e1c746f47d07815a903aac07c3334131cfc808f85b8bd9

    • SHA512

      24a7543199b06358b296e4c0bedb3365c3e29ac054aa3ba7c0a22e49079fa6d672e2dfc25ca8024a06526f16a4515bbc1e8798d715a3416ab4809f9f8a487fb4

    • SSDEEP

      3072:rBM7AAAPsPmgSn/HzaHWgwwQjHF0kKUyodrMpNLbdr05b7pNeoAhTGl9NZ9k222H:C7h1HSn/WHnQjphwNXdr0gU9z

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks