General

  • Target

    c60a9d97501c8fccb7ce37b52654839b.zip

  • Size

    9.5MB

  • Sample

    240831-sshngs1aqa

  • MD5

    83143031ac21f9d49eccaa54f0a35253

  • SHA1

    2dc5b21784f977c6b6f47d6783492bec09ae3e7c

  • SHA256

    f7125d45e932372653f44576caa67bed861e3c43cfbeb780e94db7bf1166ff11

  • SHA512

    aad1716334ae4631a01a72fe42999b84555765838a8bc64122c2a416a10a2780c7dd3c6d83276c43467acded0693d9bc3dd403c93726bdd58d3318654659b152

  • SSDEEP

    196608:JK9l4Sw1zF/o6jdlTRvnVXKIqxq2D66/O8Lqm1A/yD562HN4+sD79Wpadr9mG:ABw166D1fVqHDtBL2/y1k+5puJmG

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f06f8570f6999f01ade88f2c09538759e55539eb7c2d452999e1c66ca83e8c02

    • Size

      14.1MB

    • MD5

      c60a9d97501c8fccb7ce37b52654839b

    • SHA1

      94fc047b6307fd89d39eaad454db89dc1d0809c4

    • SHA256

      f06f8570f6999f01ade88f2c09538759e55539eb7c2d452999e1c66ca83e8c02

    • SHA512

      5254c7f7f7164e27408bdaefe28b948a0b61e576161bd92d0aecefc7b327687e2f10c80ded601fbcfd0d799d887c4b3895e251d3db0a9ef50b3a58086a53ac45

    • SSDEEP

      12288:R0Xz1CuwA5Rp0rp0rp0rp0rp0rp0rp0rp0rp0rp0rp0rp0rp0rp0rp0rp0rp0rpZ:R0X2

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks