General
-
Target
504afc470ab13dda6174b9841cd9e72c02a3e06280ad31fec4d963f723255f4e
-
Size
137KB
-
Sample
220719-ehsttaaeaj
-
MD5
bd3bdb1b7fc2f3fde188a2e79338cf30
-
SHA1
34e98f613f0e7cfbe6bfae4f3318b648dfa00485
-
SHA256
504afc470ab13dda6174b9841cd9e72c02a3e06280ad31fec4d963f723255f4e
-
SHA512
79417a065cbe56699406717c6725f0e7a6c782e8714408d3e97de79b63ea4a3d6335d1d17d9146230a6f960f9a40097a2b419fac74bc589a21d64c3e6b7f3fd1
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
504afc470ab13dda6174b9841cd9e72c02a3e06280ad31fec4d963f723255f4e
-
Size
137KB
-
MD5
bd3bdb1b7fc2f3fde188a2e79338cf30
-
SHA1
34e98f613f0e7cfbe6bfae4f3318b648dfa00485
-
SHA256
504afc470ab13dda6174b9841cd9e72c02a3e06280ad31fec4d963f723255f4e
-
SHA512
79417a065cbe56699406717c6725f0e7a6c782e8714408d3e97de79b63ea4a3d6335d1d17d9146230a6f960f9a40097a2b419fac74bc589a21d64c3e6b7f3fd1
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-