Resubmissions

13/03/2024, 20:57

240313-zrqe9sgf5v 10

13/03/2024, 20:52

240313-znt92saf32 10

General

  • Target

    c6d4cf2038d7a25db793acc817f8b9de

  • Size

    11.1MB

  • Sample

    240313-znt92saf32

  • MD5

    c6d4cf2038d7a25db793acc817f8b9de

  • SHA1

    f2e47fe6121be4a780565d7bef4329c3804be07d

  • SHA256

    061896a47ccc77763b673012adc395deae9b80a67bbd2eb787c1e3f7c37da2a8

  • SHA512

    b23386edc064916f4355a6faf0bb2abe9a13dfb3e5294025d424130830b9f0f19791f68ce890ca9a4be9bb5b170bdd92de5c78c1f4fdb2e8093c7e593682b71c

  • SSDEEP

    49152:mBpQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQo:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      c6d4cf2038d7a25db793acc817f8b9de

    • Size

      11.1MB

    • MD5

      c6d4cf2038d7a25db793acc817f8b9de

    • SHA1

      f2e47fe6121be4a780565d7bef4329c3804be07d

    • SHA256

      061896a47ccc77763b673012adc395deae9b80a67bbd2eb787c1e3f7c37da2a8

    • SHA512

      b23386edc064916f4355a6faf0bb2abe9a13dfb3e5294025d424130830b9f0f19791f68ce890ca9a4be9bb5b170bdd92de5c78c1f4fdb2e8093c7e593682b71c

    • SSDEEP

      49152:mBpQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQo:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks