General

  • Target

    c43d854fcf796987e1c818dbdebdedb7

  • Size

    12.7MB

  • Sample

    240312-155b1scb8v

  • MD5

    c43d854fcf796987e1c818dbdebdedb7

  • SHA1

    70c3575704a32be2977029aa4828ff07900a9c17

  • SHA256

    3879b860225989ad53a9f72a30004dc820b6a4052c2d3abafb3d898ca75546ea

  • SHA512

    57c9337232bb511ba10f2adadccd4dfbbc0a06c9745fb141f59010792b0b963014529907ae8ac2fd8eba22de6b1cab6bbb4452969e87254a875d7f7788ec7e18

  • SSDEEP

    49152:Dc67fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffP:Dc6

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      c43d854fcf796987e1c818dbdebdedb7

    • Size

      12.7MB

    • MD5

      c43d854fcf796987e1c818dbdebdedb7

    • SHA1

      70c3575704a32be2977029aa4828ff07900a9c17

    • SHA256

      3879b860225989ad53a9f72a30004dc820b6a4052c2d3abafb3d898ca75546ea

    • SHA512

      57c9337232bb511ba10f2adadccd4dfbbc0a06c9745fb141f59010792b0b963014529907ae8ac2fd8eba22de6b1cab6bbb4452969e87254a875d7f7788ec7e18

    • SSDEEP

      49152:Dc67fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffP:Dc6

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks