General
-
Target
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525
-
Size
13.9MB
-
Sample
220605-sy7vkabgf9
-
MD5
3aaa4aecbe1e2646394602569e6cac7d
-
SHA1
191a54ac2bc0b727669fd08bb804fc7fd17601d5
-
SHA256
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525
-
SHA512
7a36b8a7c2fd9189a3987e0ad1d109d3e81072546784d99719104f2359042285aaa2f9f0b4173effd6713b291813d9f08ae8804a87fb89bb0baea3b1fb20e86a
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525
-
Size
13.9MB
-
MD5
3aaa4aecbe1e2646394602569e6cac7d
-
SHA1
191a54ac2bc0b727669fd08bb804fc7fd17601d5
-
SHA256
6ec7645e2cbbaf7d7d6c836cacf353c072bab4e785992c90b172f26263d55525
-
SHA512
7a36b8a7c2fd9189a3987e0ad1d109d3e81072546784d99719104f2359042285aaa2f9f0b4173effd6713b291813d9f08ae8804a87fb89bb0baea3b1fb20e86a
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-