General

  • Target

    c6b8e16456cb6ad1d5d9e48cb85002e6

  • Size

    14.3MB

  • Sample

    240313-ylaxysgf22

  • MD5

    c6b8e16456cb6ad1d5d9e48cb85002e6

  • SHA1

    b09501e9b030e8387867d34be4d7bfa00e12f73c

  • SHA256

    4d599979536ac8118ced4ca02dd9cc479fe196d9c8ee4723123ded443acfb3a1

  • SHA512

    ba1701a3add7befef3abe50bf46b1015c2390294902a899c92dad8219785e5c21d40e4a78fa9ec349cf3b4c21833095cd527343453bf08e5f45a90e0028f7a2c

  • SSDEEP

    49152:yj5555555555555555555555555555555555555555555555555555555555555R:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      c6b8e16456cb6ad1d5d9e48cb85002e6

    • Size

      14.3MB

    • MD5

      c6b8e16456cb6ad1d5d9e48cb85002e6

    • SHA1

      b09501e9b030e8387867d34be4d7bfa00e12f73c

    • SHA256

      4d599979536ac8118ced4ca02dd9cc479fe196d9c8ee4723123ded443acfb3a1

    • SHA512

      ba1701a3add7befef3abe50bf46b1015c2390294902a899c92dad8219785e5c21d40e4a78fa9ec349cf3b4c21833095cd527343453bf08e5f45a90e0028f7a2c

    • SSDEEP

      49152:yj5555555555555555555555555555555555555555555555555555555555555R:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks