General

  • Target

    7add49d3f94626db3bfd88652c55403b.zip

  • Size

    173KB

  • Sample

    240901-eykhda1hmg

  • MD5

    5fd9d220803a99be7049e67057f3ec22

  • SHA1

    4a344bd80741714e7a406170b7ba722f28fba489

  • SHA256

    ecc447dac820e56985af81703fbca424d9309a9ebcfb152e993bc9ccc275c920

  • SHA512

    49c8143c95e8ece5dc9d9367b5a23d2d14c66e52cb6f89bd3626304837bc11617b2c3bb38a4ed21896e00572ae36589b4ccf2197872d760120ceba449d9d3ec9

  • SSDEEP

    3072:cspl2FmuWZVxgfXDP3vY3ljf1wvWlXaC1qkuyxWpY7rBlJZNo8QdBURojv/DbQEQ:THWD2Vxaz41jtwaXZ1qkuyxUITJVeBLU

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      d15dc4c9f5cc18798572b527797678adedd953ae755a9efadbeaf76353cc199f

    • Size

      10.3MB

    • MD5

      7add49d3f94626db3bfd88652c55403b

    • SHA1

      c99c8680050272cade3963627fa87e697b4ee564

    • SHA256

      d15dc4c9f5cc18798572b527797678adedd953ae755a9efadbeaf76353cc199f

    • SHA512

      19edd3367327213abc11f3d696b46cdd4184a74e6653e43b0283aebcd0de135f43e92b69a1906328c318a5e7a3c06806665a015cbe70e5ee9e13e91e7654ca4f

    • SSDEEP

      196608:9I+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++G:9

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks