General

  • Target

    c627c14091152787b15ad7574885cda7

  • Size

    13.8MB

  • Sample

    240313-r8gwfsfg3v

  • MD5

    c627c14091152787b15ad7574885cda7

  • SHA1

    ec22104da7f990dc108515def9f0153ca20a90e6

  • SHA256

    269808e17f6e58d39b2957a777c2b93dc3350d299aa47109f264d2180fa51a44

  • SHA512

    585ae4e528d193a2cd67e62637658473e8c527e7a187cceda545e1e0248f89955f6b8e87b9c3dde676a058589b6074259a5808dbea04e7c779c6c8e68b38b548

  • SSDEEP

    98304:wNWUllllllllllllllllllllllllllllllllllllllllllllllllllllllllllld:mW

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c627c14091152787b15ad7574885cda7

    • Size

      13.8MB

    • MD5

      c627c14091152787b15ad7574885cda7

    • SHA1

      ec22104da7f990dc108515def9f0153ca20a90e6

    • SHA256

      269808e17f6e58d39b2957a777c2b93dc3350d299aa47109f264d2180fa51a44

    • SHA512

      585ae4e528d193a2cd67e62637658473e8c527e7a187cceda545e1e0248f89955f6b8e87b9c3dde676a058589b6074259a5808dbea04e7c779c6c8e68b38b548

    • SSDEEP

      98304:wNWUllllllllllllllllllllllllllllllllllllllllllllllllllllllllllld:mW

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks