General

  • Target

    ffdceebfd66c68c128cd5c7e349881b5.zip

  • Size

    1000KB

  • Sample

    240903-mezrysvgkd

  • MD5

    70a762719bc569c87da1447620f8cc56

  • SHA1

    7a5e0fdd0f0bfd2c851fb02dbc5d57d0a8f38347

  • SHA256

    d8dbe9170ba8f445fe52170429f932404239ac53d3c22517a0eccc60f7dc4eec

  • SHA512

    c5c04681ccc436ebaae2efcfca3f94224a8a8b7cf8c657c12b7456674b8073e19f606cd1ca04b76606dad04ae931c184879cd4dee403936663d88a6e5bb191ee

  • SSDEEP

    24576:SDcZ0VbtFnnPysLS7CgZkUREK9bRUCndmek9Ylr3Y4z9Ncyi:SDqcTGCgLj9Fpk9YlzYUbcN

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      48e0ce9cfa0bd0951aaf6cff66593631c06472384d593641fe76854c7d0b3f82

    • Size

      11.2MB

    • MD5

      ffdceebfd66c68c128cd5c7e349881b5

    • SHA1

      19e173e67dea7a78b95bce015cf4a58dc2f976c7

    • SHA256

      48e0ce9cfa0bd0951aaf6cff66593631c06472384d593641fe76854c7d0b3f82

    • SHA512

      be958ffd1343a1e1c06ea68a29fa6861c6a1762a74f227190c7d2597a0a64f9926527491b8a11835975d6bf7743359423c9dbf090523d9585c7d1afb623acbd8

    • SSDEEP

      49152:wNbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb7:w

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks