General

  • Target

    c305249eb607f74c01ebea52ee7e4a04

  • Size

    13.0MB

  • Sample

    240312-le6d3afd77

  • MD5

    c305249eb607f74c01ebea52ee7e4a04

  • SHA1

    d0fc20af80585b140012d6d80d96784bdb1ef546

  • SHA256

    f59945f469bed06a9a1b7d209c83cbed65c61bf41b1f6812a2c7bc93c3dee50c

  • SHA512

    998bac48a417a6183fd5b0e8f99e49a6788f7aadc7d630cd163793e93c480d164363adb54a832ed8cd983a6704da0acac0420d4b0e117a6a25b669b78a753660

  • SSDEEP

    49152:RNS3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3SH:R

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c305249eb607f74c01ebea52ee7e4a04

    • Size

      13.0MB

    • MD5

      c305249eb607f74c01ebea52ee7e4a04

    • SHA1

      d0fc20af80585b140012d6d80d96784bdb1ef546

    • SHA256

      f59945f469bed06a9a1b7d209c83cbed65c61bf41b1f6812a2c7bc93c3dee50c

    • SHA512

      998bac48a417a6183fd5b0e8f99e49a6788f7aadc7d630cd163793e93c480d164363adb54a832ed8cd983a6704da0acac0420d4b0e117a6a25b669b78a753660

    • SSDEEP

      49152:RNS3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3S3SH:R

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks