General

  • Target

    c33369cedaad4dc209d8136dbc156b02

  • Size

    13.6MB

  • Sample

    240312-m6xrnsfd4v

  • MD5

    c33369cedaad4dc209d8136dbc156b02

  • SHA1

    7c0ab2ec7a6a308cd24de30a910fc59c82b62f18

  • SHA256

    7052e078ed150dffe5879b298eb91df4f8a6834ee5cadc7511213f018baef387

  • SHA512

    147885638913dd3d3f0f7121a512a597314cadb498c6b376c57e6ae67b6b0678746e734493235d575e9cf2d558495114b9296fcbc6774cd3ff6df49068a7602a

  • SSDEEP

    6144:kk+zzPfsaOKoQidSDIeuKVdlLc9qbF0RaLtiym:azTfsDKoQidbeuKVHlF888

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      c33369cedaad4dc209d8136dbc156b02

    • Size

      13.6MB

    • MD5

      c33369cedaad4dc209d8136dbc156b02

    • SHA1

      7c0ab2ec7a6a308cd24de30a910fc59c82b62f18

    • SHA256

      7052e078ed150dffe5879b298eb91df4f8a6834ee5cadc7511213f018baef387

    • SHA512

      147885638913dd3d3f0f7121a512a597314cadb498c6b376c57e6ae67b6b0678746e734493235d575e9cf2d558495114b9296fcbc6774cd3ff6df49068a7602a

    • SSDEEP

      6144:kk+zzPfsaOKoQidSDIeuKVdlLc9qbF0RaLtiym:azTfsDKoQidbeuKVHlF888

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks