General
-
Target
VirusShare_5e867ae4a78726523d91eaea386fce6d.zip
-
Size
96KB
-
Sample
230511-vtrnwsba8y
-
MD5
fcca72dd17606bdd1ea650ea4f6f428a
-
SHA1
1eea8f488cfcd7c643963be6da5dd364284ec86c
-
SHA256
28485c139a6355cb8429d01defe5cb89e8c0c8bfc1ad5f5520341812478000b1
-
SHA512
fb538a8c62355fd65b1e637e9821fd9139be7b5ac4c821b6faabc2d3b44c397a999df96d2b91c96b2388e754cc5a508e7b1067e2341f1f98d4f6d8f09c7c388a
-
SSDEEP
1536:iUBSUaDYAJUIJVesh8oQb6VcCIYL1UJLhVZYtEoS1D1Xv5x2pu:iAaHJUILesuoAecHYa/YtE5Xv54pu
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d
-
Size
154KB
-
MD5
5e867ae4a78726523d91eaea386fce6d
-
SHA1
c9ee64774b15ada9cbd52f88bb47057647978fac
-
SHA256
78ca5753c7f93fe3ff553ae23fb87395c36a791b61952eabf6b9d96e59c7862d
-
SHA512
74d7fbb706839e32432abb761dbb02dd0e3d85e8f2f22412549d379f42027a99c4af39febb448b150e6d701d25fab4be698eb9439bcb5a247659dbf888bbb344
-
SSDEEP
1536:n9Hnxm+W0eDrB6CjnMQSoWp0MYS3+MpHiCUywyJqbgoVtcdnA+QA5Hs5W0+MWVO4:npQDBDjnLSZp3+6iCUyw6oVtrA5He1
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-