General

  • Target

    d9e243d127d578d8fcde48778ebfe68c.bin

  • Size

    13.2MB

  • Sample

    240322-dnt4dshh8z

  • MD5

    d9e243d127d578d8fcde48778ebfe68c

  • SHA1

    eb9cef0a50c18d831176b409882b63d4b1c0830c

  • SHA256

    df51afae95a31e17f6143f3b407102882004e617832f92f0ef2953aba4da3a21

  • SHA512

    093fddc0a126703c3c9d1649eb865d1be2397ed3f06eda3c2d61da39f63dc9bb8a26d497d9cac73214a7467d6f6c9a00c3dd77b98b504ac9a466e36e07546c60

  • SSDEEP

    49152:PRBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBb:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      d9e243d127d578d8fcde48778ebfe68c.bin

    • Size

      13.2MB

    • MD5

      d9e243d127d578d8fcde48778ebfe68c

    • SHA1

      eb9cef0a50c18d831176b409882b63d4b1c0830c

    • SHA256

      df51afae95a31e17f6143f3b407102882004e617832f92f0ef2953aba4da3a21

    • SHA512

      093fddc0a126703c3c9d1649eb865d1be2397ed3f06eda3c2d61da39f63dc9bb8a26d497d9cac73214a7467d6f6c9a00c3dd77b98b504ac9a466e36e07546c60

    • SSDEEP

      49152:PRBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBb:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks