General

  • Target

    c482cee81e59e361aaee8921f4f2338e

  • Size

    14.9MB

  • Sample

    240313-at951shc83

  • MD5

    c482cee81e59e361aaee8921f4f2338e

  • SHA1

    772d5e25d9ece3a5b20e5d66144760b4a1aedb38

  • SHA256

    23aa7102c0b55e530f1337e29bf69978ec6d7073767ed3451779bd6297542a74

  • SHA512

    ac408bbc14978526ebba93d44ef4fcd9b60970ff09ffaab75dc0679502830cb619ac2c98b04c3f0e9a4954b527cad1cd29938ed6fe25c5a23e6ef76fbff47a19

  • SSDEEP

    98304:djhd88888888888888888888888888888888888888888888888888888888888D:d

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Targets

    • Target

      c482cee81e59e361aaee8921f4f2338e

    • Size

      14.9MB

    • MD5

      c482cee81e59e361aaee8921f4f2338e

    • SHA1

      772d5e25d9ece3a5b20e5d66144760b4a1aedb38

    • SHA256

      23aa7102c0b55e530f1337e29bf69978ec6d7073767ed3451779bd6297542a74

    • SHA512

      ac408bbc14978526ebba93d44ef4fcd9b60970ff09ffaab75dc0679502830cb619ac2c98b04c3f0e9a4954b527cad1cd29938ed6fe25c5a23e6ef76fbff47a19

    • SSDEEP

      98304:djhd88888888888888888888888888888888888888888888888888888888888D:d

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks