General

  • Target

    c4933471effc0921a3db685f0990654e

  • Size

    11.0MB

  • Sample

    240313-bfmcgaab25

  • MD5

    c4933471effc0921a3db685f0990654e

  • SHA1

    97b3a10e0e0c96d4dbb24db70e9f1df5bc2c7c39

  • SHA256

    0863ee256610e05ca30f2f1431ad7be32634480c11a40d6f19186f0d5f3c075f

  • SHA512

    b2cb7a054a234aef2bf44285749e976452ec8dec14a8c335257b78ff2daff1c6da37dc5281f173d04645bd6c676bc2197d8b96645ed45340ce00c119086b160e

  • SSDEEP

    24576:rjY+lg48SlJPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPf:+HSl

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      c4933471effc0921a3db685f0990654e

    • Size

      11.0MB

    • MD5

      c4933471effc0921a3db685f0990654e

    • SHA1

      97b3a10e0e0c96d4dbb24db70e9f1df5bc2c7c39

    • SHA256

      0863ee256610e05ca30f2f1431ad7be32634480c11a40d6f19186f0d5f3c075f

    • SHA512

      b2cb7a054a234aef2bf44285749e976452ec8dec14a8c335257b78ff2daff1c6da37dc5281f173d04645bd6c676bc2197d8b96645ed45340ce00c119086b160e

    • SSDEEP

      24576:rjY+lg48SlJPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPf:+HSl

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks