General
-
Target
b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190
-
Size
97KB
-
Sample
220731-htzy2sdfh7
-
MD5
d728588592929f9bf15f3751b2021b5c
-
SHA1
03165adb99b7471a7e8e271d8ae1aec391a7ed14
-
SHA256
b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190
-
SHA512
75f723bab92604734235007e73950cb2e20374f00439eb155210e2ac5da4c2e09b936e7d3e54c3fd18bfea5f9b35a7e56c565be184f70bcfa3b38129f0e5b637
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190
-
Size
97KB
-
MD5
d728588592929f9bf15f3751b2021b5c
-
SHA1
03165adb99b7471a7e8e271d8ae1aec391a7ed14
-
SHA256
b3486e0d693e668eec18773a3da49ad26de5fbae3b5993b26726262f0687a190
-
SHA512
75f723bab92604734235007e73950cb2e20374f00439eb155210e2ac5da4c2e09b936e7d3e54c3fd18bfea5f9b35a7e56c565be184f70bcfa3b38129f0e5b637
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-