General

  • Target

    e465df146e4a00ed2e4a0d941003a13c.zip

  • Size

    166KB

  • Sample

    240902-23a6tszcrm

  • MD5

    9891680e4a54746ff41a3a6f86cb1d29

  • SHA1

    bb1c2be3030ff0cdeadf327fcbd6ffd5b77a7db9

  • SHA256

    d3bba24a43c02f7e90c13981e0fba6551e414159ab5a8f066cf44803177a5cce

  • SHA512

    275ade6e970aadcff91996ab72390f83714a5312210336e68abb2b923a569b0c9649c3505ecd4d739cf85074e2f299e55cd457489c4f6aaf4095c229e4187ebc

  • SSDEEP

    3072:dt01ypeVMa6JiuB3wprjG50lVS/BmwDgiuF8XbDEh0olLydO2eFAS9bfJ0zl/z:auiuB3SHG5uyswUGOXtdFASV6z9z

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5

    • Size

      11.3MB

    • MD5

      e465df146e4a00ed2e4a0d941003a13c

    • SHA1

      451f1f0877d638646261a730de87929f01debf68

    • SHA256

      78ffb37d0d83a6cab5ffda39feca2226b7313e14cf2591742a713cbbf4346ef5

    • SHA512

      39151020dc52e537ae0333a2a317f70406f9da72fb9013fd49358cb71a39fabc5c267e0fb19d2e28dc2fa221b218857b9dc03320f64b03e99fb31a615cc06983

    • SSDEEP

      3072:NoiqjV0QCeV75zMwb2EfDXTBrt0c5f+Z7ApWt+0krytpObPUfAGM4H1M4CjiJNx4:NoiqjWHeV9zthDjBrmA+VkDbSAgQiTx

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks