General
-
Target
750095c58829a6d8c2637a5533561606
-
Size
13.4MB
-
Sample
240125-t9bryaahg4
-
MD5
750095c58829a6d8c2637a5533561606
-
SHA1
85bba5814cf21b4427925ac0978751639c57ebc2
-
SHA256
702854337926972a29d67bfde8673fc202b696f2dfccf7fd21227632e4280737
-
SHA512
e91a9ec8f678071335b2ed0880cdc2375975dff6186633f03ac7a6584c415aac8da4ea1aead227cd5c74b030137c00ce4fa0ff70db80bba3df74d839c56b439a
-
SSDEEP
49152:Kj55555555555555555555555555555555555555555555555555555555555557:
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
750095c58829a6d8c2637a5533561606
-
Size
13.4MB
-
MD5
750095c58829a6d8c2637a5533561606
-
SHA1
85bba5814cf21b4427925ac0978751639c57ebc2
-
SHA256
702854337926972a29d67bfde8673fc202b696f2dfccf7fd21227632e4280737
-
SHA512
e91a9ec8f678071335b2ed0880cdc2375975dff6186633f03ac7a6584c415aac8da4ea1aead227cd5c74b030137c00ce4fa0ff70db80bba3df74d839c56b439a
-
SSDEEP
49152:Kj55555555555555555555555555555555555555555555555555555555555557:
Score10/10-
Kinsing
Kinsing is a loader written in Golang.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2