General

  • Target

    c7070c4414efca06dcce90807f326564

  • Size

    10.2MB

  • Sample

    240313-2kfctsbb5w

  • MD5

    c7070c4414efca06dcce90807f326564

  • SHA1

    92b97b9ca3ae609a5cf5feda57b1759204068247

  • SHA256

    7184fe6d49cdd1c629794894a3b08bfa0f4bd645dbc9076ecc6b9c371cf12568

  • SHA512

    64ea14cfd256e89c51507a51a11def906b5cab68ac5dfbaaa89162424c1264214fb135d1dd1bf727ba79384e8465b366fad742f23898fe0d46933177f3a7f481

  • SSDEEP

    196608:SRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRh:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      c7070c4414efca06dcce90807f326564

    • Size

      10.2MB

    • MD5

      c7070c4414efca06dcce90807f326564

    • SHA1

      92b97b9ca3ae609a5cf5feda57b1759204068247

    • SHA256

      7184fe6d49cdd1c629794894a3b08bfa0f4bd645dbc9076ecc6b9c371cf12568

    • SHA512

      64ea14cfd256e89c51507a51a11def906b5cab68ac5dfbaaa89162424c1264214fb135d1dd1bf727ba79384e8465b366fad742f23898fe0d46933177f3a7f481

    • SSDEEP

      196608:SRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRh:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks