General

  • Target

    8ef57b0ee52ad8d343c5febce2c3caf3.zip

  • Size

    7.3MB

  • Sample

    240831-sgtllszdmh

  • MD5

    d9bc5f20e9ac28ddc0b3214d89554d04

  • SHA1

    2a0438d458e17187ed7e681114882ed3f6591125

  • SHA256

    730b0be8bf7b5c2c19c83650efcc341ecaf6e9c02e5ef7fe0ce5fb4a00a54007

  • SHA512

    20e370e7ebbd929326058f0d3d3993509e2dbe14013fe3c4f87bb989301a78b54a8f47dc9921cafee9a534d747fd36b7d20c867d391ee6c283be0ad708927704

  • SSDEEP

    196608:RiZcvoXtY7Ac5cZVda3bMPPMA5SG8reAb2gOfRK4:RiZcvn9cZVbb5SGs2gef

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      9d4f75a0010bb641b3429acee75c668c42b991c897a80d6ac4ffe84f2cea44c0

    • Size

      10.9MB

    • MD5

      8ef57b0ee52ad8d343c5febce2c3caf3

    • SHA1

      944e9be261db19754da9c1a097c7ac05f42fb7e9

    • SHA256

      9d4f75a0010bb641b3429acee75c668c42b991c897a80d6ac4ffe84f2cea44c0

    • SHA512

      630fa92ce62e6c9c0e8a6bdda757719c08d9344df5dfbe9867fa775e2d1f71e480e4fd4f6e9d386700f8caefda4577ab230295c209615df493d86c4411dbeb65

    • SSDEEP

      24576:3AWcGx111111111111111111111111111111111111111111111111111111111X:3HH

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks