General

  • Target

    a5e61836d4ca8f4f5fca62b50f6387cb73875a8379598ce5b0bc4c49b51f71db

  • Size

    204KB

  • Sample

    240901-eagrks1ank

  • MD5

    2cca0d99ef9380ae0ef68a0d053ad795

  • SHA1

    f0aa113074b628a37ba3b29d418739c3af3b6f72

  • SHA256

    a5e61836d4ca8f4f5fca62b50f6387cb73875a8379598ce5b0bc4c49b51f71db

  • SHA512

    3dce3450cbae60ac07af297d39aaea1ba941f9e12db9270b7b2d81ef108e509b028baf111b65e584994145caaff08e72a4965156156a73d6b39101b2a548fae9

  • SSDEEP

    3072:HTZvSByyTua6fPjvHFKaZPXFf8NMaE8slxgHz//x40slL1DpuzBI3r2VbSH6SLG6:HTZvHyTcAaZ1kTsoT//A5D7aYaT/PBw

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      2b7385aa5abdda5bbf3da3fc48215fc837b3cd15270fc618ceac03bfb5c0ddca

    • Size

      14.5MB

    • MD5

      098f305ad80931639cbd55398fae8c4a

    • SHA1

      2389c6a040ba89e89ebd0502674c8626b232c3f9

    • SHA256

      2b7385aa5abdda5bbf3da3fc48215fc837b3cd15270fc618ceac03bfb5c0ddca

    • SHA512

      611afe35a3fdf49526b6ec04a095f1fcea608b65dafd96f6e6b1d55eee5b7e3801a905620862764f91b2deb256c0a29c68da7d72ab0438421d5d5d70d8b7c3b8

    • SSDEEP

      6144:DLmhaXrxJHCx7HdqAT7mvs/bNAk3B79NmVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVj:DLmhaXrxJHuHdPT1n9N

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks