General
-
Target
d99fdafe7f0e720d1ee19abe7a5af10f98f486407cbc23825bd0f6f19b7664fa
-
Size
299KB
-
Sample
220731-hmjcqaddd6
-
MD5
572b56cf081eb05fd5e149c5c42d1750
-
SHA1
a7400abf0762a08475b418a042b0d67155bda028
-
SHA256
d99fdafe7f0e720d1ee19abe7a5af10f98f486407cbc23825bd0f6f19b7664fa
-
SHA512
7d4d5bad69990ede43f1137ceec73e74fdcde90a1e253bf81773cee5f821dae25db4e8b005335ed961a6149fc690e4c75b7b677526fb398fe217882fa0bc6954
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
d99fdafe7f0e720d1ee19abe7a5af10f98f486407cbc23825bd0f6f19b7664fa
-
Size
299KB
-
MD5
572b56cf081eb05fd5e149c5c42d1750
-
SHA1
a7400abf0762a08475b418a042b0d67155bda028
-
SHA256
d99fdafe7f0e720d1ee19abe7a5af10f98f486407cbc23825bd0f6f19b7664fa
-
SHA512
7d4d5bad69990ede43f1137ceec73e74fdcde90a1e253bf81773cee5f821dae25db4e8b005335ed961a6149fc690e4c75b7b677526fb398fe217882fa0bc6954
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-