General

  • Target

    abaf7e2ac8aedf2229f1062d84a4796b.exe

  • Size

    10.4MB

  • Sample

    240107-ychlfacgbl

  • MD5

    abaf7e2ac8aedf2229f1062d84a4796b

  • SHA1

    fa7bba090f7be8eb31875691ad1a2e758e0ff7fd

  • SHA256

    b438d5185a63d31957c98eb93d9c1f5ca1b90650a248da0bc24fc5550a03eb42

  • SHA512

    f0faa9c7b7449974817cd18cc0b40848d42932c2fb2fb8113a14d7f69ea8c7851e209af253cb4c9d7db803b6cf3d8521703ca8d40d490736a567636ac7931c68

  • SSDEEP

    6144:4bQYwYzITzPu4Dw4A+xhmvM2MiApS12tapJ1gyEUtdkKri:ywoI3Pu4Dw4A++E2MiAm2tapJfXyl

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      abaf7e2ac8aedf2229f1062d84a4796b.exe

    • Size

      10.4MB

    • MD5

      abaf7e2ac8aedf2229f1062d84a4796b

    • SHA1

      fa7bba090f7be8eb31875691ad1a2e758e0ff7fd

    • SHA256

      b438d5185a63d31957c98eb93d9c1f5ca1b90650a248da0bc24fc5550a03eb42

    • SHA512

      f0faa9c7b7449974817cd18cc0b40848d42932c2fb2fb8113a14d7f69ea8c7851e209af253cb4c9d7db803b6cf3d8521703ca8d40d490736a567636ac7931c68

    • SSDEEP

      6144:4bQYwYzITzPu4Dw4A+xhmvM2MiApS12tapJ1gyEUtdkKri:ywoI3Pu4Dw4A++E2MiAm2tapJfXyl

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks