General
-
Target
b27e4f6888ead7b1bace259ebb494d540fe4d4398b176e53e7963222bdbbcc3e.exe
-
Size
10.2MB
-
Sample
241121-bfjxcaxlfx
-
MD5
0a5435b0caf94bf65e29727f66456c25
-
SHA1
76eb55c90ec530ed3969c4fffbf2a64196c90673
-
SHA256
b27e4f6888ead7b1bace259ebb494d540fe4d4398b176e53e7963222bdbbcc3e
-
SHA512
115278b35b2f5c4e93cc4ddcda82c61a6a2faf5bf58ada753eed8ab3afb110c407cc0dbcc175ecc4b245a9e0ce199df96cc8bb2d07e7f7b8b9659c7052119472
-
SSDEEP
12288:EZv3F8h86NMcoGuc3FXE4WrIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIB:Ep3F8Au3FPW9
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
b27e4f6888ead7b1bace259ebb494d540fe4d4398b176e53e7963222bdbbcc3e.exe
-
Size
10.2MB
-
MD5
0a5435b0caf94bf65e29727f66456c25
-
SHA1
76eb55c90ec530ed3969c4fffbf2a64196c90673
-
SHA256
b27e4f6888ead7b1bace259ebb494d540fe4d4398b176e53e7963222bdbbcc3e
-
SHA512
115278b35b2f5c4e93cc4ddcda82c61a6a2faf5bf58ada753eed8ab3afb110c407cc0dbcc175ecc4b245a9e0ce199df96cc8bb2d07e7f7b8b9659c7052119472
-
SSDEEP
12288:EZv3F8h86NMcoGuc3FXE4WrIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIB:Ep3F8Au3FPW9
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2