General
-
Target
04edd196520ec1c472d1a69df6c8d694
-
Size
14.3MB
-
Sample
231229-1sr6xshcdj
-
MD5
04edd196520ec1c472d1a69df6c8d694
-
SHA1
7bbd144397a0ac008ae9c7f8e5f9973297d12e98
-
SHA256
71140e3530b8d3224519bb17ed90c8d22fe56349bc8a99399072d8bd4e52c37f
-
SHA512
e78fc3d955303980c6dd6389d615b03ab838f557bf453d0281e3996cd40a07e9ecd3b6a20e021fc5c3f3d353940057dd0bf3ae55bbc0ce32c7f12f6b6f323b11
-
SSDEEP
98304:HvjOF///////////////////////////////////////////////////////////:L
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
04edd196520ec1c472d1a69df6c8d694
-
Size
14.3MB
-
MD5
04edd196520ec1c472d1a69df6c8d694
-
SHA1
7bbd144397a0ac008ae9c7f8e5f9973297d12e98
-
SHA256
71140e3530b8d3224519bb17ed90c8d22fe56349bc8a99399072d8bd4e52c37f
-
SHA512
e78fc3d955303980c6dd6389d615b03ab838f557bf453d0281e3996cd40a07e9ecd3b6a20e021fc5c3f3d353940057dd0bf3ae55bbc0ce32c7f12f6b6f323b11
-
SSDEEP
98304:HvjOF///////////////////////////////////////////////////////////:L
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2