General
-
Target
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51
-
Size
142KB
-
Sample
220725-c7w7esbfel
-
MD5
048725634c77ed7223cd9b91d90b172b
-
SHA1
40628d5ffe1bbd7915a628938a8acac0d9c77ba3
-
SHA256
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51
-
SHA512
ad87648a4003832c7ec6129b2745c119c693f99628295cb318d285b8c5ca23d8ec0a4682fdbe3e8a880de0f6e9b84ed78ae3279c457477d5d6a2b27f1284446c
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51
-
Size
142KB
-
MD5
048725634c77ed7223cd9b91d90b172b
-
SHA1
40628d5ffe1bbd7915a628938a8acac0d9c77ba3
-
SHA256
568bdd6fb9671d0f9cd3d2843d20aca0cae45ec57fff154b0b0c439af8f00b51
-
SHA512
ad87648a4003832c7ec6129b2745c119c693f99628295cb318d285b8c5ca23d8ec0a4682fdbe3e8a880de0f6e9b84ed78ae3279c457477d5d6a2b27f1284446c
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-