General
-
Target
229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f
-
Size
97KB
-
Sample
220612-e91czaahd4
-
MD5
4d20335690b8218af519b6a5ff523c94
-
SHA1
05b23688e15db6b5b5730e76c762af9a1390617c
-
SHA256
229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f
-
SHA512
ffa59b9145ee118d0dfedf4dd7b6ed364ab43d5347ba8f34d2cbdde09ca318b4f9de89b1ec4933bd0eaa7068bb15bb2bbaed3658d5b5713caf02455eed20ece5
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f
-
Size
97KB
-
MD5
4d20335690b8218af519b6a5ff523c94
-
SHA1
05b23688e15db6b5b5730e76c762af9a1390617c
-
SHA256
229b6c4fa6bf3086364bbb00da7199f5e5c006062b8d986aebc6a68efe28516f
-
SHA512
ffa59b9145ee118d0dfedf4dd7b6ed364ab43d5347ba8f34d2cbdde09ca318b4f9de89b1ec4933bd0eaa7068bb15bb2bbaed3658d5b5713caf02455eed20ece5
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-