General
-
Target
1788c90e47e33020a545656cf59b5f557a93d90e449cd356d578309e71a5c195
-
Size
143KB
-
Sample
220608-ze4gcscch3
-
MD5
aad43b23811400fcc73d8c22b4420660
-
SHA1
a9230effebe05616919532d05e2506ed503bd422
-
SHA256
1788c90e47e33020a545656cf59b5f557a93d90e449cd356d578309e71a5c195
-
SHA512
b928c25bf1e18f45ff91ce307f90186724d4c750702459b3da9672794245488adcc1280132bf342ae76a5c9b1a6cdb9220ce26ae675b0591fc0da38917a29005
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
1788c90e47e33020a545656cf59b5f557a93d90e449cd356d578309e71a5c195
-
Size
143KB
-
MD5
aad43b23811400fcc73d8c22b4420660
-
SHA1
a9230effebe05616919532d05e2506ed503bd422
-
SHA256
1788c90e47e33020a545656cf59b5f557a93d90e449cd356d578309e71a5c195
-
SHA512
b928c25bf1e18f45ff91ce307f90186724d4c750702459b3da9672794245488adcc1280132bf342ae76a5c9b1a6cdb9220ce26ae675b0591fc0da38917a29005
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-