General

  • Target

    c385a5d52248b9dc7e863b4ecabd5413

  • Size

    10.8MB

  • Sample

    240312-q4g5zscc64

  • MD5

    c385a5d52248b9dc7e863b4ecabd5413

  • SHA1

    54e6892eb63999cd3c7fa286d72b9f5c18994193

  • SHA256

    8f6388694e21aae6ee97c0b8414287ea265def0b0b39737b4449662280d5fe8e

  • SHA512

    87c6d9cac46f556d8feba31caf34a58de58e5da7175b13578c2a38f3e3ac756b7b91a6340607d438e57b949c5dee52d206bfd4d0f629cf69e48c62b9a63d85f0

  • SSDEEP

    98304:Ajhd888888888888888888888888888888888888888888888888888888888880:A

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Targets

    • Target

      c385a5d52248b9dc7e863b4ecabd5413

    • Size

      10.8MB

    • MD5

      c385a5d52248b9dc7e863b4ecabd5413

    • SHA1

      54e6892eb63999cd3c7fa286d72b9f5c18994193

    • SHA256

      8f6388694e21aae6ee97c0b8414287ea265def0b0b39737b4449662280d5fe8e

    • SHA512

      87c6d9cac46f556d8feba31caf34a58de58e5da7175b13578c2a38f3e3ac756b7b91a6340607d438e57b949c5dee52d206bfd4d0f629cf69e48c62b9a63d85f0

    • SSDEEP

      98304:Ajhd888888888888888888888888888888888888888888888888888888888880:A

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks