General
-
Target
71c2575bb762e680b8293dc29d8a8796
-
Size
12.6MB
-
Sample
240124-kf7g3sebd9
-
MD5
71c2575bb762e680b8293dc29d8a8796
-
SHA1
6788ebdfca309e8960cee240654bcde9db33f61b
-
SHA256
cec8922bca64081eab78e6bee892c82a01e57b411e59f06355365da1fe62fdfe
-
SHA512
109c3e7cf5b2bda71515e7d35f37a82f5d8bd2155d1d64224d73aa036fd08102523d520c51a041d886cd70606c837be3e75c9b2dd8c4b64bb79bbc320c04ab07
-
SSDEEP
49152:rj5555555555555555555555555555555555555555555555555555555555555z:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
71c2575bb762e680b8293dc29d8a8796
-
Size
12.6MB
-
MD5
71c2575bb762e680b8293dc29d8a8796
-
SHA1
6788ebdfca309e8960cee240654bcde9db33f61b
-
SHA256
cec8922bca64081eab78e6bee892c82a01e57b411e59f06355365da1fe62fdfe
-
SHA512
109c3e7cf5b2bda71515e7d35f37a82f5d8bd2155d1d64224d73aa036fd08102523d520c51a041d886cd70606c837be3e75c9b2dd8c4b64bb79bbc320c04ab07
-
SSDEEP
49152:rj5555555555555555555555555555555555555555555555555555555555555z:
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2