General

  • Target

    db981282c76c9b8a20cf0504ca070c33

  • Size

    13.9MB

  • Sample

    240321-pc7qwscg3z

  • MD5

    db981282c76c9b8a20cf0504ca070c33

  • SHA1

    6b463294504543031e08504de0300dddfd7adb97

  • SHA256

    99ada2dab6315e4fe23f64f8445eb17c62a65919994a1a23741785b1837df923

  • SHA512

    e9022b9f62f85e5626295fa8d5607ad89ded1a61a07323e5d262fbfa26e87f08ddb400d8f696a65790221ceae853589013885ace2f50dac8ff6e73a776c6e236

  • SSDEEP

    49152:7jrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrP:r

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      db981282c76c9b8a20cf0504ca070c33

    • Size

      13.9MB

    • MD5

      db981282c76c9b8a20cf0504ca070c33

    • SHA1

      6b463294504543031e08504de0300dddfd7adb97

    • SHA256

      99ada2dab6315e4fe23f64f8445eb17c62a65919994a1a23741785b1837df923

    • SHA512

      e9022b9f62f85e5626295fa8d5607ad89ded1a61a07323e5d262fbfa26e87f08ddb400d8f696a65790221ceae853589013885ace2f50dac8ff6e73a776c6e236

    • SSDEEP

      49152:7jrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrP:r

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks