General
Target

2ea3f9f2f531dc5153dd2e93f7cc763ce3e425c67eb64dcd06f5204598649b59

Size

142KB

Sample

220622-jfmx1aafdr

Score
10/10
MD5

5e40852b1b836ae50ea61b4dc56124e9

SHA1

b01babd89da56da58ae26ea756bfe6dbdbc917d5

SHA256

2ea3f9f2f531dc5153dd2e93f7cc763ce3e425c67eb64dcd06f5204598649b59

SHA512

7e57324bafde20171129bd0a873654cece5827e93a00423bf98a89612343cd483fd67556dedaa72c5ae92f2a603c9dfab880881d986722d1403c508b523bc276

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets
Target

2ea3f9f2f531dc5153dd2e93f7cc763ce3e425c67eb64dcd06f5204598649b59

MD5

5e40852b1b836ae50ea61b4dc56124e9

Filesize

142KB

Score
10/10
SHA1

b01babd89da56da58ae26ea756bfe6dbdbc917d5

SHA256

2ea3f9f2f531dc5153dd2e93f7cc763ce3e425c67eb64dcd06f5204598649b59

SHA512

7e57324bafde20171129bd0a873654cece5827e93a00423bf98a89612343cd483fd67556dedaa72c5ae92f2a603c9dfab880881d986722d1403c508b523bc276

Tags

Signatures

  • Tofsee

    Description

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    Tags

  • Creates new service(s)

    Tags

    TTPs

    New Service
  • Executes dropped EXE

  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    N/A

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    N/A