General
-
Target
c2606b3de392035475b6b4024ad1a3de
-
Size
14.0MB
-
Sample
240312-ecs8dsff5t
-
MD5
c2606b3de392035475b6b4024ad1a3de
-
SHA1
0b45bd02f6b7a658f8a40708adacdbddf40765dc
-
SHA256
820ec7efbfb65f9ed9335fcb4b3d6c28a9e5ea53a310b19a77b8f7a7edf2bfa2
-
SHA512
dd0afe8e72a369314e1e693191668fe2c4b8802793f03d0cb988b07c145722e62e8a1e0563caf595e395816c253047745e2ff4ddd16f3b8a391a8a2d509cf6d4
-
SSDEEP
49152:/O2iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiu:/O
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Targets
-
-
Target
c2606b3de392035475b6b4024ad1a3de
-
Size
14.0MB
-
MD5
c2606b3de392035475b6b4024ad1a3de
-
SHA1
0b45bd02f6b7a658f8a40708adacdbddf40765dc
-
SHA256
820ec7efbfb65f9ed9335fcb4b3d6c28a9e5ea53a310b19a77b8f7a7edf2bfa2
-
SHA512
dd0afe8e72a369314e1e693191668fe2c4b8802793f03d0cb988b07c145722e62e8a1e0563caf595e395816c253047745e2ff4ddd16f3b8a391a8a2d509cf6d4
-
SSDEEP
49152:/O2iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiu:/O
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2