General

  • Target

    dd2449cc99a8ebb87ee86c1500f97a41

  • Size

    14.4MB

  • Sample

    240325-d6f99aaa4t

  • MD5

    dd2449cc99a8ebb87ee86c1500f97a41

  • SHA1

    d380615538d78ce99b7ce40a2ee73cb97d57941e

  • SHA256

    6a7b41efa4831599f18fc65fef165a9fd49aa3210eb715a6253487d2bc7572dd

  • SHA512

    10ffbe4054a0cf2b51442daf023649ee47858a5dca0b116b6b999635feb1b83d4428fdd2bf6a3b36d7fd5ec2005e1a4d7a4263715a344b9d1293b3fcf73cd7af

  • SSDEEP

    24576:FjY+lg48SlJPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPH:gHSl

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      dd2449cc99a8ebb87ee86c1500f97a41

    • Size

      14.4MB

    • MD5

      dd2449cc99a8ebb87ee86c1500f97a41

    • SHA1

      d380615538d78ce99b7ce40a2ee73cb97d57941e

    • SHA256

      6a7b41efa4831599f18fc65fef165a9fd49aa3210eb715a6253487d2bc7572dd

    • SHA512

      10ffbe4054a0cf2b51442daf023649ee47858a5dca0b116b6b999635feb1b83d4428fdd2bf6a3b36d7fd5ec2005e1a4d7a4263715a344b9d1293b3fcf73cd7af

    • SSDEEP

      24576:FjY+lg48SlJPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPH:gHSl

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks