General
-
Target
072e24f5e23e9e4f9bb798741f1ccc99
-
Size
14.7MB
-
Sample
231225-fxa3zseee9
-
MD5
072e24f5e23e9e4f9bb798741f1ccc99
-
SHA1
e636dfd63f3f8d37b73f6848a710ad99f66f8c34
-
SHA256
0a3af55292603f184d5a1a9e9fdc42ac1741f1f996fbac73a8a2da28d7640324
-
SHA512
a32bccd0865ad55f59d0763753806e0dddfdd8dc6dfe40997cc23888a72c0c53d070ec0765ad99e46bae6706bb11a32974f25a239ba72524273c325d44223871
-
SSDEEP
98304:pjhd88888888888888888888888888888888888888888888888888888888888:p
Malware Config
Extracted
tofsee
176.111.174.19
lazystax.ru
Targets
-
-
Target
072e24f5e23e9e4f9bb798741f1ccc99
-
Size
14.7MB
-
MD5
072e24f5e23e9e4f9bb798741f1ccc99
-
SHA1
e636dfd63f3f8d37b73f6848a710ad99f66f8c34
-
SHA256
0a3af55292603f184d5a1a9e9fdc42ac1741f1f996fbac73a8a2da28d7640324
-
SHA512
a32bccd0865ad55f59d0763753806e0dddfdd8dc6dfe40997cc23888a72c0c53d070ec0765ad99e46bae6706bb11a32974f25a239ba72524273c325d44223871
-
SSDEEP
98304:pjhd88888888888888888888888888888888888888888888888888888888888:p
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2