General
-
Target
123fc368dbf1ca4c0c4e02744b482619595c1243e79716979daeef9ba40db493
-
Size
138KB
-
Sample
220603-1w8m3sadcr
-
MD5
0307b1309a9cba61448538348168bc63
-
SHA1
1f434133f38bf2f91c28dbad9dba038cdbb8a63a
-
SHA256
123fc368dbf1ca4c0c4e02744b482619595c1243e79716979daeef9ba40db493
-
SHA512
eda4e15eb86832d6555d587e66d3f05327d239a03a73efaa15280b8ff77af6a17a09986bca3ddd3c08ba3db44581a865193691c69d07e46b409c8fd4c4205831
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
123fc368dbf1ca4c0c4e02744b482619595c1243e79716979daeef9ba40db493
-
Size
138KB
-
MD5
0307b1309a9cba61448538348168bc63
-
SHA1
1f434133f38bf2f91c28dbad9dba038cdbb8a63a
-
SHA256
123fc368dbf1ca4c0c4e02744b482619595c1243e79716979daeef9ba40db493
-
SHA512
eda4e15eb86832d6555d587e66d3f05327d239a03a73efaa15280b8ff77af6a17a09986bca3ddd3c08ba3db44581a865193691c69d07e46b409c8fd4c4205831
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-