General

  • Target

    aee483bf0ab0bbba03e7add1c7b24d70.zip

  • Size

    1.2MB

  • Sample

    240831-smnbsazfqq

  • MD5

    13451bc55f6b6d4d7606dae320822c0f

  • SHA1

    fc7f7743819b03e05a55ba5668d4a189d0ecc63d

  • SHA256

    dcb4d53f8972063ba7c8b391357484899843e0848a35792a12b981ac066b059e

  • SHA512

    d6dbcf438dd1956b2bc69316612ea610c2be4a41f0ccef934e89d96a9b061618b3d6f4ea9adb0e3aca06898578db07fd084a7bf3216c9492136ac34217e7f6aa

  • SSDEEP

    24576:DghjpFFc6QFiHQX+6Tv8FORTENeB+S/k0fCVkLDoBVLbdi09l1j0b:MU6YiHQX+W3Ek9XfXEdb9rje

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      79231c2cacbfc0da610bb317d280a96d0d10e63a5824d5d052e41e57fb85bd6f

    • Size

      12.5MB

    • MD5

      aee483bf0ab0bbba03e7add1c7b24d70

    • SHA1

      15ef01d3f681c7ec8cfb1e55a318723f4f4406f7

    • SHA256

      79231c2cacbfc0da610bb317d280a96d0d10e63a5824d5d052e41e57fb85bd6f

    • SHA512

      4dfe9bb49aec68b29055ab74aaac4efd83e96051072aa9f15bd2a8530376ba58f1b3d7741229a5fd96f81cd92ead9481918b4fe580bcc4baae158269d985d80e

    • SSDEEP

      6144:0ngjLKfnGE+Nj43Gd/50NS0UG4th+d49EOVVVVVVVVVVVVVVVVVVVVVVVVVVVVV7:fiOE+Nj4Q50k0UGIh+dJ

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks