General

  • Target

    oavszyym.exe

  • Size

    14.2MB

  • Sample

    241020-ny1c9sycpm

  • MD5

    ffc03e5a236c9017d6866dadbdd1bdb0

  • SHA1

    076cce6dd5ea98bb1bbc21280be47aa5aad0829f

  • SHA256

    036e57851b2b1068ce726544039a699f748ccbeba8bb2bbdf909cfc6fb95bb3e

  • SHA512

    5e2fa9d4ce5bc6e358eda911afa2dc3e54301ba9bf6aecc59161f707add76d19b9760be893a98e37ebd7e3b43987b4f9047ac5caea867783fdf3e7e0d89bd137

  • SSDEEP

    24576:8W/EClxN7llllllllllllllllllllllllllllllllllllllllllllllllllllllb:84HN

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

    • Target

      oavszyym.exe

    • Size

      14.2MB

    • MD5

      ffc03e5a236c9017d6866dadbdd1bdb0

    • SHA1

      076cce6dd5ea98bb1bbc21280be47aa5aad0829f

    • SHA256

      036e57851b2b1068ce726544039a699f748ccbeba8bb2bbdf909cfc6fb95bb3e

    • SHA512

      5e2fa9d4ce5bc6e358eda911afa2dc3e54301ba9bf6aecc59161f707add76d19b9760be893a98e37ebd7e3b43987b4f9047ac5caea867783fdf3e7e0d89bd137

    • SSDEEP

      24576:8W/EClxN7llllllllllllllllllllllllllllllllllllllllllllllllllllllb:84HN

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks