General
-
Target
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701
-
Size
108KB
-
Sample
220626-bljtjaddc7
-
MD5
3a7c9b7345930efda1b033b5ffd6888c
-
SHA1
cce9d9ece4bbf8666894d3d52ba3bcf243140a12
-
SHA256
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701
-
SHA512
8b76eba6a981f493b1afac3a39d62f2c91eb1919dcb439f9d9b6aa86bce20e8c66c7a91f33d0f64244cde8c974a5cffe70384320db388b71d268f9e3938d0d9a
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701
-
Size
108KB
-
MD5
3a7c9b7345930efda1b033b5ffd6888c
-
SHA1
cce9d9ece4bbf8666894d3d52ba3bcf243140a12
-
SHA256
36dd37703b6b84eb31184299be5935fd79e46b4c7b9a3f7c2bbdd73a9bedb701
-
SHA512
8b76eba6a981f493b1afac3a39d62f2c91eb1919dcb439f9d9b6aa86bce20e8c66c7a91f33d0f64244cde8c974a5cffe70384320db388b71d268f9e3938d0d9a
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-