General

  • Target

    c703ea9e333eb773c82d5bce093c7285

  • Size

    14.6MB

  • Sample

    240313-2ewgvsdb68

  • MD5

    c703ea9e333eb773c82d5bce093c7285

  • SHA1

    f60a7c1b192e4437db780edcd55b7253f90a9697

  • SHA256

    8d1d3e2e74c4b7ae21ffc1c36b8ed25b0109a1b9cd7b21fb36f5d123fc60e671

  • SHA512

    4a89e6ebbae90f8b067cddf66a49a41518c9ef7380e05df4f15cf743b81a95da331416e44c680f14815557b65eee898a047cacd5ce4cb0872a8055a42db36a98

  • SSDEEP

    49152:WD8uesPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP:Ae

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c703ea9e333eb773c82d5bce093c7285

    • Size

      14.6MB

    • MD5

      c703ea9e333eb773c82d5bce093c7285

    • SHA1

      f60a7c1b192e4437db780edcd55b7253f90a9697

    • SHA256

      8d1d3e2e74c4b7ae21ffc1c36b8ed25b0109a1b9cd7b21fb36f5d123fc60e671

    • SHA512

      4a89e6ebbae90f8b067cddf66a49a41518c9ef7380e05df4f15cf743b81a95da331416e44c680f14815557b65eee898a047cacd5ce4cb0872a8055a42db36a98

    • SSDEEP

      49152:WD8uesPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP:Ae

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks