General

  • Target

    c6a25da89581e0330adab23a91d81323

  • Size

    13.1MB

  • Sample

    240313-xncznafa44

  • MD5

    c6a25da89581e0330adab23a91d81323

  • SHA1

    0491f142aa3535c828d44507532933214cf27de8

  • SHA256

    c1752278be8ba79a133ee5c720df7135e343510becd837f0d0127733c0846e57

  • SHA512

    c0e7d82a6b6c97a7e6aed6e605a8530e6502b04c6fef54d1792218808e59bcb00422c372b235b0ecb625dd40d9aaa106891d348800eacd2ec541286dcb3d6d93

  • SSDEEP

    6144:vM7q8RJgcdyozssssssssssssssssssssssssssssssssssssssssssssssssss:vlkh

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c6a25da89581e0330adab23a91d81323

    • Size

      13.1MB

    • MD5

      c6a25da89581e0330adab23a91d81323

    • SHA1

      0491f142aa3535c828d44507532933214cf27de8

    • SHA256

      c1752278be8ba79a133ee5c720df7135e343510becd837f0d0127733c0846e57

    • SHA512

      c0e7d82a6b6c97a7e6aed6e605a8530e6502b04c6fef54d1792218808e59bcb00422c372b235b0ecb625dd40d9aaa106891d348800eacd2ec541286dcb3d6d93

    • SSDEEP

      6144:vM7q8RJgcdyozssssssssssssssssssssssssssssssssssssssssssssssssss:vlkh

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks