General

  • Target

    dcfd015c0e5690dcb11fa707f52030ba

  • Size

    14.6MB

  • Sample

    240325-cm2amsdc98

  • MD5

    dcfd015c0e5690dcb11fa707f52030ba

  • SHA1

    7af426f7a65a7a4ac6df8503222f0ce4b3e92001

  • SHA256

    8b795f6fedee87d107c933dee81a87ce4acc9f1ec82f1b8bb69df2a87684547d

  • SHA512

    d2ba001589742c0234a9855bd6a5c14a3536e732705b1f5462c3bc993dfe5996c453f36d4ecb7899a3c8419f617af6f02ef99cbc5a87d04b75530e4107e89a3d

  • SSDEEP

    12288:jRXQK44fy6111111111111111111111111111111111111111111111111111113:jRx2

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      dcfd015c0e5690dcb11fa707f52030ba

    • Size

      14.6MB

    • MD5

      dcfd015c0e5690dcb11fa707f52030ba

    • SHA1

      7af426f7a65a7a4ac6df8503222f0ce4b3e92001

    • SHA256

      8b795f6fedee87d107c933dee81a87ce4acc9f1ec82f1b8bb69df2a87684547d

    • SHA512

      d2ba001589742c0234a9855bd6a5c14a3536e732705b1f5462c3bc993dfe5996c453f36d4ecb7899a3c8419f617af6f02ef99cbc5a87d04b75530e4107e89a3d

    • SSDEEP

      12288:jRXQK44fy6111111111111111111111111111111111111111111111111111113:jRx2

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks