General

  • Target

    c6688c75d02f8d5f5674b178401b4394

  • Size

    12.6MB

  • Sample

    240313-vhzkcscb73

  • MD5

    c6688c75d02f8d5f5674b178401b4394

  • SHA1

    fbeb9c5f569e69cdf3821a2c044dbb0034a3bf07

  • SHA256

    499b636c7dd9cae198d84e67938f37128f745afa5dee546e92111feb9e279ea7

  • SHA512

    246a0078f2519e9201b6578b3077a692178a9fc53136d2a096ca72b1a5202b378faf71716bb668e45b786366be09db9db0437e5ec9996192d059ba08bcd37636

  • SSDEEP

    98304:UNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllll3:CW

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c6688c75d02f8d5f5674b178401b4394

    • Size

      12.6MB

    • MD5

      c6688c75d02f8d5f5674b178401b4394

    • SHA1

      fbeb9c5f569e69cdf3821a2c044dbb0034a3bf07

    • SHA256

      499b636c7dd9cae198d84e67938f37128f745afa5dee546e92111feb9e279ea7

    • SHA512

      246a0078f2519e9201b6578b3077a692178a9fc53136d2a096ca72b1a5202b378faf71716bb668e45b786366be09db9db0437e5ec9996192d059ba08bcd37636

    • SSDEEP

      98304:UNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllll3:CW

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks