Overview

overview

10

Static

static

3

3a2d6c415a...b9.exe

windows7-x64

10

3a2d6c415a...b9.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    3a2d6c415a747b223cfe5256ebe25bb9

  • Size

    14.9MB

  • Sample

    231225-yvwk1sfdgr

  • MD5

    3a2d6c415a747b223cfe5256ebe25bb9

  • SHA1

    c850cb5288fe1b9972a53437b35c362c71110fc7

  • SHA256

    3046654f51e97991b3cf34b5a90e2b46a37624d0b129ec0bc7d387c751c88218

  • SHA512

    51f1946ef6d679f03a6f42e4fb8a393fa3cc09a464bd2faa426266da6c174e64b854b8dc5eae9bc16d53f66f025416c90e4afc7653303e7f6b7e0c5810ca2afc

  • SSDEEP

    98304:djhd88888888888888888888888888888888888888888888888888888888888g:d

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Targets

    • Target

      3a2d6c415a747b223cfe5256ebe25bb9

    • Size

      14.9MB

    • MD5

      3a2d6c415a747b223cfe5256ebe25bb9

    • SHA1

      c850cb5288fe1b9972a53437b35c362c71110fc7

    • SHA256

      3046654f51e97991b3cf34b5a90e2b46a37624d0b129ec0bc7d387c751c88218

    • SHA512

      51f1946ef6d679f03a6f42e4fb8a393fa3cc09a464bd2faa426266da6c174e64b854b8dc5eae9bc16d53f66f025416c90e4afc7653303e7f6b7e0c5810ca2afc

    • SSDEEP

      98304:djhd88888888888888888888888888888888888888888888888888888888888g:d

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks