General
-
Target
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855
-
Size
101KB
-
Sample
220612-c8243afbh5
-
MD5
fc3b31c8214d209f6783baedfbfd514b
-
SHA1
f457e855dea420e7ae69129d1437b31c33b78d25
-
SHA256
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855
-
SHA512
6232c34e88c1da8fd9d13cd6c81bce59b7552ade20d2e0df736334ae96f9501eb1e63f4f3dbc207e8096c7e3a2111db2c73067c84b50a6da2a62285c789d7eb4
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855
-
Size
101KB
-
MD5
fc3b31c8214d209f6783baedfbfd514b
-
SHA1
f457e855dea420e7ae69129d1437b31c33b78d25
-
SHA256
23197502be28aab6501b23608fd0f3d82bbf096fd990db91f6bbfc1dc41ff855
-
SHA512
6232c34e88c1da8fd9d13cd6c81bce59b7552ade20d2e0df736334ae96f9501eb1e63f4f3dbc207e8096c7e3a2111db2c73067c84b50a6da2a62285c789d7eb4
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-