General

  • Target

    a3592693bf98d11182e83ed40779c3a1.exe

  • Size

    14.0MB

  • Sample

    240107-x18l4accdr

  • MD5

    a3592693bf98d11182e83ed40779c3a1

  • SHA1

    c19e3a35d2b90f2099f34caffdaab6e14d4488d4

  • SHA256

    916264a72ba7e6ab72941fadd14604649ac8afe6865c755ae32528cd8e20f9a4

  • SHA512

    e557ed6c28577ab66c830e9a02ba4edc238a7e555f0fac47b7a3afad98523ade9acda9325d6959ad5bb9bba794c2354db9dfc1131d7136f87deb733f2d0baf75

  • SSDEEP

    49152:oaafPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP:o

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      a3592693bf98d11182e83ed40779c3a1.exe

    • Size

      14.0MB

    • MD5

      a3592693bf98d11182e83ed40779c3a1

    • SHA1

      c19e3a35d2b90f2099f34caffdaab6e14d4488d4

    • SHA256

      916264a72ba7e6ab72941fadd14604649ac8afe6865c755ae32528cd8e20f9a4

    • SHA512

      e557ed6c28577ab66c830e9a02ba4edc238a7e555f0fac47b7a3afad98523ade9acda9325d6959ad5bb9bba794c2354db9dfc1131d7136f87deb733f2d0baf75

    • SSDEEP

      49152:oaafPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP:o

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks