General

  • Target

    c64d35bb80502b8c0197d7397aa4cc26

  • Size

    14.4MB

  • Sample

    240313-tklkvahc4y

  • MD5

    c64d35bb80502b8c0197d7397aa4cc26

  • SHA1

    44b8be34a3bfb52a984fd5c7d3e6a1d82483002b

  • SHA256

    dc4498ebaa620691b225b4e0e9eff465260063d3ecfaf2bc81e27dd6979872d7

  • SHA512

    50637967d2450c204e8d3349cac54a27d876c0a2ade98cd2f2f7d95ad95dad59add704b34e7b2cec44a1264e64563f35012daf3dad9ea140099b96eb2b0c81be

  • SSDEEP

    49152:g3SkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkU:g3

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      c64d35bb80502b8c0197d7397aa4cc26

    • Size

      14.4MB

    • MD5

      c64d35bb80502b8c0197d7397aa4cc26

    • SHA1

      44b8be34a3bfb52a984fd5c7d3e6a1d82483002b

    • SHA256

      dc4498ebaa620691b225b4e0e9eff465260063d3ecfaf2bc81e27dd6979872d7

    • SHA512

      50637967d2450c204e8d3349cac54a27d876c0a2ade98cd2f2f7d95ad95dad59add704b34e7b2cec44a1264e64563f35012daf3dad9ea140099b96eb2b0c81be

    • SSDEEP

      49152:g3SkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkU:g3

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks