General

  • Target

    c457027890ace6d31658a2faf1399a67

  • Size

    12.8MB

  • Sample

    240312-24s32afd99

  • MD5

    c457027890ace6d31658a2faf1399a67

  • SHA1

    c6f2d250fbb9f6d065f2e1e22dfded3c2e09996e

  • SHA256

    8a007424b6aae8b2dc2801a066241d7d2f4e43ec9f888b9b2453535f259745b6

  • SHA512

    a1770c00c89ff631ee65d36a779b06abac3d5a9eab274a08ccda943b3b692d361601a762891511769f18b741ab88b41d5e57d98de1a3362f75a20fe065e68b4b

  • SSDEEP

    6144:FJu3szifRNFyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyC:XuHf7

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c457027890ace6d31658a2faf1399a67

    • Size

      12.8MB

    • MD5

      c457027890ace6d31658a2faf1399a67

    • SHA1

      c6f2d250fbb9f6d065f2e1e22dfded3c2e09996e

    • SHA256

      8a007424b6aae8b2dc2801a066241d7d2f4e43ec9f888b9b2453535f259745b6

    • SHA512

      a1770c00c89ff631ee65d36a779b06abac3d5a9eab274a08ccda943b3b692d361601a762891511769f18b741ab88b41d5e57d98de1a3362f75a20fe065e68b4b

    • SSDEEP

      6144:FJu3szifRNFyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyC:XuHf7

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks