General
-
Target
100d8852de93e54659c2e9da519cab6934f488bf4c959889f978e49c8ba59e37
-
Size
316KB
-
Sample
220604-qxz28adgbj
-
MD5
5c3ecbbd07a3a9ea27ab0bddb1a6176d
-
SHA1
171a1e5ad3fb212af8e30d73a70338c319b4f346
-
SHA256
100d8852de93e54659c2e9da519cab6934f488bf4c959889f978e49c8ba59e37
-
SHA512
0a09c1313c03249c72f19ffe84cb5c3758b9f1394f82aaac24f969009e21b5647cf9af3b3f35703a27c8496427692a8c715c72ac3bd9f918f7cb6ccf21dc8465
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
100d8852de93e54659c2e9da519cab6934f488bf4c959889f978e49c8ba59e37
-
Size
316KB
-
MD5
5c3ecbbd07a3a9ea27ab0bddb1a6176d
-
SHA1
171a1e5ad3fb212af8e30d73a70338c319b4f346
-
SHA256
100d8852de93e54659c2e9da519cab6934f488bf4c959889f978e49c8ba59e37
-
SHA512
0a09c1313c03249c72f19ffe84cb5c3758b9f1394f82aaac24f969009e21b5647cf9af3b3f35703a27c8496427692a8c715c72ac3bd9f918f7cb6ccf21dc8465
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-