General

  • Target

    dbd97def3112b86e795bc31f8bdb58b6

  • Size

    11.1MB

  • Sample

    240321-rrfxtsdd83

  • MD5

    dbd97def3112b86e795bc31f8bdb58b6

  • SHA1

    d4828e7cebe66ae7f596f1e002dc44b15f3063d8

  • SHA256

    58dc195b75018955a9c8fdd8a6526a2602fb1b1a36ebd44f1e71d5e0e9fac333

  • SHA512

    6802e6043b4ebdbd92b0517084b65ffca42753a8dd40db3e17b23cc868d763fb604727523aeab403bab92926ee0900330872f6a41fa6d1078573776502893e32

  • SSDEEP

    49152:Oj5555555555555555555555555555555555555555555555555555555555555J:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      dbd97def3112b86e795bc31f8bdb58b6

    • Size

      11.1MB

    • MD5

      dbd97def3112b86e795bc31f8bdb58b6

    • SHA1

      d4828e7cebe66ae7f596f1e002dc44b15f3063d8

    • SHA256

      58dc195b75018955a9c8fdd8a6526a2602fb1b1a36ebd44f1e71d5e0e9fac333

    • SHA512

      6802e6043b4ebdbd92b0517084b65ffca42753a8dd40db3e17b23cc868d763fb604727523aeab403bab92926ee0900330872f6a41fa6d1078573776502893e32

    • SSDEEP

      49152:Oj5555555555555555555555555555555555555555555555555555555555555J:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks