General
-
Target
c5af074d1dc7563538561414790ce838b29a04f80c877a0d3e235b83a2130d16
-
Size
13.7MB
-
Sample
220606-dyxx2adhb3
-
MD5
5408cff5586901cfb35b5ed13505c161
-
SHA1
e929d7dc906bdc0eb20c4009b085443bc7af996f
-
SHA256
c5af074d1dc7563538561414790ce838b29a04f80c877a0d3e235b83a2130d16
-
SHA512
f1f6bde7b47b13da6ede09ae7e25e1ac5444880cea3ed2bbad2a806ae7e80393998670febb7bbc0bd0221a3a9ce741b2a39ad7199ad561061e0545ae0966558c
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
c5af074d1dc7563538561414790ce838b29a04f80c877a0d3e235b83a2130d16
-
Size
13.7MB
-
MD5
5408cff5586901cfb35b5ed13505c161
-
SHA1
e929d7dc906bdc0eb20c4009b085443bc7af996f
-
SHA256
c5af074d1dc7563538561414790ce838b29a04f80c877a0d3e235b83a2130d16
-
SHA512
f1f6bde7b47b13da6ede09ae7e25e1ac5444880cea3ed2bbad2a806ae7e80393998670febb7bbc0bd0221a3a9ce741b2a39ad7199ad561061e0545ae0966558c
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-