General
-
Target
39e2b92059aea92f0cef66384347db789668df9ba87067a21060b6fdf7da7bc9
-
Size
312KB
-
Sample
220625-jg1v9abeem
-
MD5
469c2f23c85976e2d7a79c013b87121b
-
SHA1
a98f1b95299a2546aca7e959b9af97eed341a01b
-
SHA256
39e2b92059aea92f0cef66384347db789668df9ba87067a21060b6fdf7da7bc9
-
SHA512
1ef5fdeb5f0fd3872d351c93c661fdebc504cec452ff9e00ab3abc7a84aea0be9ba3d2de52e7c3c900b67b55d95c2422d0cdc2ed16ada940a4f662ac884559c9
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
39e2b92059aea92f0cef66384347db789668df9ba87067a21060b6fdf7da7bc9
-
Size
312KB
-
MD5
469c2f23c85976e2d7a79c013b87121b
-
SHA1
a98f1b95299a2546aca7e959b9af97eed341a01b
-
SHA256
39e2b92059aea92f0cef66384347db789668df9ba87067a21060b6fdf7da7bc9
-
SHA512
1ef5fdeb5f0fd3872d351c93c661fdebc504cec452ff9e00ab3abc7a84aea0be9ba3d2de52e7c3c900b67b55d95c2422d0cdc2ed16ada940a4f662ac884559c9
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-