General
-
Target
475c6a7176eeac0d3495f43ee21dcdcd51474b04857ac6f2b08506096eafe85c
-
Size
120KB
-
Sample
220714-hraldabcbk
-
MD5
bcd473e359b0dce9b3d838603f108ad9
-
SHA1
a7ff28a43ecbd3ac14d1c64a5cd15ad4824bfce6
-
SHA256
475c6a7176eeac0d3495f43ee21dcdcd51474b04857ac6f2b08506096eafe85c
-
SHA512
7b12bab3aa8fb372fc46601bfc1e10fc3b025c5a8ff1f3ad2ca6e66d824c4a2caae681809000021320c952df9ec963f0105645fcd8bace5131c781ab8343d126
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
475c6a7176eeac0d3495f43ee21dcdcd51474b04857ac6f2b08506096eafe85c
-
Size
120KB
-
MD5
bcd473e359b0dce9b3d838603f108ad9
-
SHA1
a7ff28a43ecbd3ac14d1c64a5cd15ad4824bfce6
-
SHA256
475c6a7176eeac0d3495f43ee21dcdcd51474b04857ac6f2b08506096eafe85c
-
SHA512
7b12bab3aa8fb372fc46601bfc1e10fc3b025c5a8ff1f3ad2ca6e66d824c4a2caae681809000021320c952df9ec963f0105645fcd8bace5131c781ab8343d126
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-