General
-
Target
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7
-
Size
108KB
-
Sample
220615-vfsn2abbc7
-
MD5
a7b95421785baa3381af20c176aece4f
-
SHA1
20991f8fa8669bd25d468d1ab9ed9477438e7bfa
-
SHA256
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7
-
SHA512
c70edcc1b4851ca1e4e65afe71d7b11156afc6d94e93ca4aac9c4dbb7661a1997fd18c8f91dd367ca1a809dec52aad850cf3b3ebbd381c5bb0d7bf32f3c54727
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7
-
Size
108KB
-
MD5
a7b95421785baa3381af20c176aece4f
-
SHA1
20991f8fa8669bd25d468d1ab9ed9477438e7bfa
-
SHA256
28a3e10ac80eb640748d91ce23e6ab37ac41402122bb49803c1a37d3b48adbf7
-
SHA512
c70edcc1b4851ca1e4e65afe71d7b11156afc6d94e93ca4aac9c4dbb7661a1997fd18c8f91dd367ca1a809dec52aad850cf3b3ebbd381c5bb0d7bf32f3c54727
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-