General
-
Target
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488
-
Size
142KB
-
Sample
220612-bfkhwafgdr
-
MD5
c20d3f9c5dcd93a3dfd3b6e9aeea2541
-
SHA1
c829d1ab536df96bcc67f136c8453b51e8407934
-
SHA256
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488
-
SHA512
4dec42790939d1d486de2c43e802583c60ff984f1c7ed4c40b744635f3a0ec2c8c9c49c3bb6f2d1942cab0da21f61a62a62aaa07381cbc841ef5a49adf3195d9
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488
-
Size
142KB
-
MD5
c20d3f9c5dcd93a3dfd3b6e9aeea2541
-
SHA1
c829d1ab536df96bcc67f136c8453b51e8407934
-
SHA256
2391d4e6b02d6ba9ce47ca34a88260c83c2f72a0886932be5a63c117a31c9488
-
SHA512
4dec42790939d1d486de2c43e802583c60ff984f1c7ed4c40b744635f3a0ec2c8c9c49c3bb6f2d1942cab0da21f61a62a62aaa07381cbc841ef5a49adf3195d9
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-