General

  • Target

    85fc255b144ad1bae941cb10f76c562d.zip

  • Size

    10.1MB

  • Sample

    240903-h8z8cs1ckn

  • MD5

    f9d7a58c326ca336936f9103a1fc468b

  • SHA1

    51a2cd80179b8996175d5612459928c9868d5347

  • SHA256

    cf8d65c8fcb2a30a77d65c80bb7b64e8b9391367b15ea9a01527af6b17992a49

  • SHA512

    563653e73ca46144ca2d73fcd53983709f0a51cb67f01adfdd8ff3f0edef61548099c39d2d4e7a06515220297d89f35c36850b45621f79c8bbe20948bb91aad6

  • SSDEEP

    196608:8jk/gGOgkfAuQoBk0uussoCeYyYWg6TVSUfDQ7wiope2QYkjRTNsj0F:rgGOdIuQoBkasssDVSuQ7rSVk1O0F

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      93c57d1b6044486f8962a08e6ce7c774d54c0dc8fad2da404eb99e451b75b2e9

    • Size

      14.7MB

    • MD5

      85fc255b144ad1bae941cb10f76c562d

    • SHA1

      6961b75a7e5e1720c6fd01b4979c77f3269e7aec

    • SHA256

      93c57d1b6044486f8962a08e6ce7c774d54c0dc8fad2da404eb99e451b75b2e9

    • SHA512

      e7e6ce112594f2d6a597ecd063e2797f1695be72dbd59316410d186be6e8876116662aa95d9ad25107a079b04eaffa7a7c039a99f2ef2fa15ae4681bace3f819

    • SSDEEP

      98304:/UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUc:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks