General

  • Target

    c6b7a74dc495ad3c75d922f97a1925aa

  • Size

    11.0MB

  • Sample

    240313-yjne9sed8v

  • MD5

    c6b7a74dc495ad3c75d922f97a1925aa

  • SHA1

    d52bb73f296cdff059b72f23db118ef6e00f3f25

  • SHA256

    364f1f8b80d1740c45b76590cd5b3ca1e7a73501b3cd7a4d0892d54e20c77b6f

  • SHA512

    b041231a8f47a35893273281e07e4bba9f901c892b8dd59098ec25a5d946adab734f60d3e9003c4e5fe21a761689819bf240113b677e8ed7952591f82a3bc99b

  • SSDEEP

    6144:Rpga/kTEu7YhWvd4SGhe+4lrbESqsWXI1qwbJ3zC/ggggggggggggggggggggggY:Rpg+yEu7KfSGJgrb6XX4Fz

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      c6b7a74dc495ad3c75d922f97a1925aa

    • Size

      11.0MB

    • MD5

      c6b7a74dc495ad3c75d922f97a1925aa

    • SHA1

      d52bb73f296cdff059b72f23db118ef6e00f3f25

    • SHA256

      364f1f8b80d1740c45b76590cd5b3ca1e7a73501b3cd7a4d0892d54e20c77b6f

    • SHA512

      b041231a8f47a35893273281e07e4bba9f901c892b8dd59098ec25a5d946adab734f60d3e9003c4e5fe21a761689819bf240113b677e8ed7952591f82a3bc99b

    • SSDEEP

      6144:Rpga/kTEu7YhWvd4SGhe+4lrbESqsWXI1qwbJ3zC/ggggggggggggggggggggggY:Rpg+yEu7KfSGJgrb6XX4Fz

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks