General
-
Target
ff21828fb3915046a904aca7876e98a8f994b2fcbf872d0eee15b0f025380201.exe
-
Size
355KB
-
Sample
241231-29tazsxjhl
-
MD5
1d5d4b18e2f0f03c8de6d08390dc192c
-
SHA1
f76fe6a8dd3a26d51a94c7a44e93f549bd182518
-
SHA256
ff21828fb3915046a904aca7876e98a8f994b2fcbf872d0eee15b0f025380201
-
SHA512
e0a12427841f8c2f4f3655f0a42a210d5ae79bdb51d4a351315a800653b786ce2257600da7f3e2a592c65146594e06fa9cee68ff9dd62a991fa909f1fee4313d
-
SSDEEP
6144:hvo5HY2USvj5R/i2gCiX0oH1VmyerYDn1QqaFZczX3V5wRjejHH5TAb5:hA5HY2USr5R/i2gCy0oVVmyerK1/aFZ7
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Targets
-
-
Target
ff21828fb3915046a904aca7876e98a8f994b2fcbf872d0eee15b0f025380201.exe
-
Size
355KB
-
MD5
1d5d4b18e2f0f03c8de6d08390dc192c
-
SHA1
f76fe6a8dd3a26d51a94c7a44e93f549bd182518
-
SHA256
ff21828fb3915046a904aca7876e98a8f994b2fcbf872d0eee15b0f025380201
-
SHA512
e0a12427841f8c2f4f3655f0a42a210d5ae79bdb51d4a351315a800653b786ce2257600da7f3e2a592c65146594e06fa9cee68ff9dd62a991fa909f1fee4313d
-
SSDEEP
6144:hvo5HY2USvj5R/i2gCiX0oH1VmyerYDn1QqaFZczX3V5wRjejHH5TAb5:hA5HY2USr5R/i2gCy0oVVmyerK1/aFZ7
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2