Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6f32d5855575c11807a9b7c4225f896e2fa9fca00e265c29237ab0edda8ed70d

  • Size

    161KB

  • Sample

    240901-xnkdqsyhlm

  • MD5

    2c7de68d54eb0dca41907480238b6459

  • SHA1

    7d1a1808ebe744149290e62379434c45d48db956

  • SHA256

    6f32d5855575c11807a9b7c4225f896e2fa9fca00e265c29237ab0edda8ed70d

  • SHA512

    5efc1e3ce09fa0aced3593cfe8f3983f5312abe09e8addf84d4185000efb76aaafd39672f3fba811f4272546890b1c49c8856854d7fedc08a31285f7b2360ce1

  • SSDEEP

    3072:Oh9qS3Q9DRZWfOn5YamWbevFEtZUiyFKjb+jT2VvHB8FcMwg8arDWZHWTbK4t5ct:Oh9fAD7BiIeWYiyYTNeDL8Mpbnt5cOh8

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      d26320c9bf38d0c8da62667729d9c28c8c9a71bb1395bf33dff11b59cda8f6c4

    • Size

      10.6MB

    • MD5

      32cbda26c9835c1c63f2fed688fb5bb9

    • SHA1

      1b8b5445b2ff31e5377c0a2297672bf656695777

    • SHA256

      d26320c9bf38d0c8da62667729d9c28c8c9a71bb1395bf33dff11b59cda8f6c4

    • SHA512

      34246c7b622d4ff88c401d25da883962dfba46c878bf9387f3b72942add8ccfe1785b4c5dfbacfcbbc1a3f40e866cc701ce2ff8f2334868ae16b150e61de4e5e

    • SSDEEP

      12288:KQeoegEG/Rl1M7jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjz:KQeGX1M

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks