General
-
Target
5180841adc8b05306e558987b811386d6ce6a6306f99b34c8bcfe70256d7493d
-
Size
143KB
-
Sample
220718-r866cafbd4
-
MD5
aa26771afab30b105973b298705f5c6e
-
SHA1
351cbad600bb9db991f16b2b32bceec3ddb05af3
-
SHA256
5180841adc8b05306e558987b811386d6ce6a6306f99b34c8bcfe70256d7493d
-
SHA512
ea3f95ec131d168189aae8757f90e10c16a3a7f732e1ee05951e4ec5de246298d5cf4266781c3ed8d28b07921093b166e642cfa76690128221ee69e15bf906e4
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
5180841adc8b05306e558987b811386d6ce6a6306f99b34c8bcfe70256d7493d
-
Size
143KB
-
MD5
aa26771afab30b105973b298705f5c6e
-
SHA1
351cbad600bb9db991f16b2b32bceec3ddb05af3
-
SHA256
5180841adc8b05306e558987b811386d6ce6a6306f99b34c8bcfe70256d7493d
-
SHA512
ea3f95ec131d168189aae8757f90e10c16a3a7f732e1ee05951e4ec5de246298d5cf4266781c3ed8d28b07921093b166e642cfa76690128221ee69e15bf906e4
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-