General

  • Target

    c695e613344c4f66430e5bb19265410c

  • Size

    14.6MB

  • Sample

    240313-w7cbssed44

  • MD5

    c695e613344c4f66430e5bb19265410c

  • SHA1

    2005b6d3d59947eb22b0b5a96214f157d85f00be

  • SHA256

    31addd4050bbbe12a5ecaf05d183ecb720f3775da9530e0e7d596fb4ba51855f

  • SHA512

    1072fec5fd5f3d47e79e64309beb76421eb49ca084097361137664e7c88d4a8fe36320cfe59ad190ef6b0ecbcdd7a49443f5d8ddd42dce796eab8b344a91a933

  • SSDEEP

    98304:gNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllL:WW

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c695e613344c4f66430e5bb19265410c

    • Size

      14.6MB

    • MD5

      c695e613344c4f66430e5bb19265410c

    • SHA1

      2005b6d3d59947eb22b0b5a96214f157d85f00be

    • SHA256

      31addd4050bbbe12a5ecaf05d183ecb720f3775da9530e0e7d596fb4ba51855f

    • SHA512

      1072fec5fd5f3d47e79e64309beb76421eb49ca084097361137664e7c88d4a8fe36320cfe59ad190ef6b0ecbcdd7a49443f5d8ddd42dce796eab8b344a91a933

    • SSDEEP

      98304:gNWUlllllllllllllllllllllllllllllllllllllllllllllllllllllllllllL:WW

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks