General
-
Target
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c
-
Size
104KB
-
Sample
220619-yv5tpaddd4
-
MD5
b8aefed6abece4f59edf9567a0cafed5
-
SHA1
df318db2b549a7a6e6bf51fbf3a55627bc8a8f1c
-
SHA256
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c
-
SHA512
c7671d6482045f57db20d9c4e5113843b32af79d0a7f04f916caa44d83a8f0a7733801d7cf202e52418432a79cbd324947a8583ae39866b5619889f4ddb69bdf
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c
-
Size
104KB
-
MD5
b8aefed6abece4f59edf9567a0cafed5
-
SHA1
df318db2b549a7a6e6bf51fbf3a55627bc8a8f1c
-
SHA256
34c414bf27ed2603e855e7ad3578a9ac86b03faa1a7db3278cedead5ffa1458c
-
SHA512
c7671d6482045f57db20d9c4e5113843b32af79d0a7f04f916caa44d83a8f0a7733801d7cf202e52418432a79cbd324947a8583ae39866b5619889f4ddb69bdf
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-