General

  • Target

    b8332866db45bf85ed517c599eaafe54.zip

  • Size

    167KB

  • Sample

    240901-t6x6rswcrq

  • MD5

    340dc1520913fd67a090b1d681dfe4a1

  • SHA1

    d743b4e97e4aba9f3975cd0508566a1d7720455f

  • SHA256

    6b6a8ff2f3276c603a55155cc67b5cd98c6d04b16c422201d8e0c77c411c6f63

  • SHA512

    8d66114382efee3354eab03b35dc0e0dacd65d3566beb9ee7c7e0ab717908b5e151ba801dbf950d5e2b36fa18f153710d0efe5391db4bd2277e35b5a1932c258

  • SSDEEP

    3072:7P2FSIb/Ai3ZvkKEsqtICoEcriJ6aOKcDSUlN/JK3g5dspdZaNgp+XIZ:nITAi9eICyrxz7lNE7dSgp+XM

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      f365d1d600ccc20bde31b7db1fd7a815b73087c9e46676e0d398289af7b7bb71

    • Size

      11.7MB

    • MD5

      b8332866db45bf85ed517c599eaafe54

    • SHA1

      f86726a6a85f613e15066a7ad77cef942e3c9d28

    • SHA256

      f365d1d600ccc20bde31b7db1fd7a815b73087c9e46676e0d398289af7b7bb71

    • SHA512

      b95ac93c7487fada804562e98f8e5db4902ab3195236c71cfa171732071d4601ce479b6eed519f61a0724a47d6cda7f9d397285c265b2c9bfb7d143ba8ef1425

    • SSDEEP

      3072:qoiqjV0QCeV75zMwb2EfDXTBrt0c5f+Z7ApWt+0krytpObPUfAGM4H1M4CjiJNx4:qoiqjWHeV9zthDjBrmA+VkDbSAgQiTx

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks