General

  • Target

    dc12e18aad630e9d0d30d34107dce88e

  • Size

    14.5MB

  • Sample

    240321-tt51vaha4v

  • MD5

    dc12e18aad630e9d0d30d34107dce88e

  • SHA1

    de07c2b68c299b60393a1d978d2ecaf00f985dca

  • SHA256

    4079f6cf9ce7d85e29f8480c786691fa8177629e7b87a965862eeda4b8ac28e0

  • SHA512

    07d644650e480d3b025c97b6682847a54de9d7b0c2bdf5e07d2bcabeaa24798b745943e831af4054532e0345a5f71c3414451b08a4edf83afed09206ed83f0ff

  • SSDEEP

    24576:WXzqpE5DpEMMMMMMMb4zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:WXPVpEMMMMMMMb

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      dc12e18aad630e9d0d30d34107dce88e

    • Size

      14.5MB

    • MD5

      dc12e18aad630e9d0d30d34107dce88e

    • SHA1

      de07c2b68c299b60393a1d978d2ecaf00f985dca

    • SHA256

      4079f6cf9ce7d85e29f8480c786691fa8177629e7b87a965862eeda4b8ac28e0

    • SHA512

      07d644650e480d3b025c97b6682847a54de9d7b0c2bdf5e07d2bcabeaa24798b745943e831af4054532e0345a5f71c3414451b08a4edf83afed09206ed83f0ff

    • SSDEEP

      24576:WXzqpE5DpEMMMMMMMb4zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:WXPVpEMMMMMMMb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks