General
-
Target
1c8743843e7dcdc405dcfdc5745a05d66f8807740d0d7e3cd169172b9559c0d8
-
Size
138KB
-
Sample
220607-scaypsdeak
-
MD5
e70dc7260416996a8b62ff3b6e0420f6
-
SHA1
3ad2783d4bc4ffd6d0a2dd4a61f16229b27839d0
-
SHA256
1c8743843e7dcdc405dcfdc5745a05d66f8807740d0d7e3cd169172b9559c0d8
-
SHA512
260dfd93c94cf67c91345a1d8c6a5c2399633e25b53b8ad3d87b246235893a385728c86229f36ac257fe20d5dd979248af2c90b5b93f9dc402a0d59b6b71662e
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
1c8743843e7dcdc405dcfdc5745a05d66f8807740d0d7e3cd169172b9559c0d8
-
Size
138KB
-
MD5
e70dc7260416996a8b62ff3b6e0420f6
-
SHA1
3ad2783d4bc4ffd6d0a2dd4a61f16229b27839d0
-
SHA256
1c8743843e7dcdc405dcfdc5745a05d66f8807740d0d7e3cd169172b9559c0d8
-
SHA512
260dfd93c94cf67c91345a1d8c6a5c2399633e25b53b8ad3d87b246235893a385728c86229f36ac257fe20d5dd979248af2c90b5b93f9dc402a0d59b6b71662e
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-