General
-
Target
c0d24ce085299f2d902413e27e2b6b39
-
Size
10.0MB
-
Sample
240311-rtbe5ahb46
-
MD5
c0d24ce085299f2d902413e27e2b6b39
-
SHA1
41333d57384e2bed11337acc91f1b45201d81825
-
SHA256
5c4e171526822775e6b0d1b4d2d9d722207050ceecec3164f5947b3d26f574dd
-
SHA512
8ca7f3ae69684255b96304d14c2c0e25cc40052eac0e52e9f4dee4bebd46d3a04c4b1f6cada3d854d230e878b7316d955834ea17db879799f0a57a0d7dc59ec9
-
SSDEEP
98304:Tjhd88888888888888888888888888888888888888888888888888888888888H:T
Malware Config
Extracted
tofsee
176.111.174.19
lazystax.ru
Targets
-
-
Target
c0d24ce085299f2d902413e27e2b6b39
-
Size
10.0MB
-
MD5
c0d24ce085299f2d902413e27e2b6b39
-
SHA1
41333d57384e2bed11337acc91f1b45201d81825
-
SHA256
5c4e171526822775e6b0d1b4d2d9d722207050ceecec3164f5947b3d26f574dd
-
SHA512
8ca7f3ae69684255b96304d14c2c0e25cc40052eac0e52e9f4dee4bebd46d3a04c4b1f6cada3d854d230e878b7316d955834ea17db879799f0a57a0d7dc59ec9
-
SSDEEP
98304:Tjhd88888888888888888888888888888888888888888888888888888888888H:T
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2