General
-
Target
c3f74d95eff83e8816bc524fa5241d02
-
Size
13.0MB
-
Sample
240312-v9zpfafa3v
-
MD5
c3f74d95eff83e8816bc524fa5241d02
-
SHA1
598e7db3c491be0e54f1d5751f38b086aa260063
-
SHA256
1c0eedabe046ba980b976207bcb574798d4ab18cd04e17ab5fef4badc26b613d
-
SHA512
134c6af0a7422f7fee1a9729f19db2ac1202da1aa22c54b90414b9b712a640e12dd49353aca2188fb4eb12d80fcc36272d3cc22fb9666e061e70eb49eb37840a
-
SSDEEP
49152:FmqCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCX:
Malware Config
Extracted
tofsee
43.231.4.6
lazystax.ru
Targets
-
-
Target
c3f74d95eff83e8816bc524fa5241d02
-
Size
13.0MB
-
MD5
c3f74d95eff83e8816bc524fa5241d02
-
SHA1
598e7db3c491be0e54f1d5751f38b086aa260063
-
SHA256
1c0eedabe046ba980b976207bcb574798d4ab18cd04e17ab5fef4badc26b613d
-
SHA512
134c6af0a7422f7fee1a9729f19db2ac1202da1aa22c54b90414b9b712a640e12dd49353aca2188fb4eb12d80fcc36272d3cc22fb9666e061e70eb49eb37840a
-
SSDEEP
49152:FmqCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCX:
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2