General

  • Target

    dd925588ab275431bf0562fd8d588a9c

  • Size

    12.0MB

  • Sample

    240325-kfjq1sbd25

  • MD5

    dd925588ab275431bf0562fd8d588a9c

  • SHA1

    64ead66696c988b9b072039cb3bdf498940b7525

  • SHA256

    00af88e95246736ae391245de74c1ffac823c30a280900a738b8d54e32e08937

  • SHA512

    3eb74ad32cf5f5c3dc5d3572b79fb6908e56ba789b961c45700df76cc33978cdb375a69965d1bfcbace5075aebeb450f2b92fca05ab83f2aa4d6180c50f00fa9

  • SSDEEP

    49152:iHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      dd925588ab275431bf0562fd8d588a9c

    • Size

      12.0MB

    • MD5

      dd925588ab275431bf0562fd8d588a9c

    • SHA1

      64ead66696c988b9b072039cb3bdf498940b7525

    • SHA256

      00af88e95246736ae391245de74c1ffac823c30a280900a738b8d54e32e08937

    • SHA512

      3eb74ad32cf5f5c3dc5d3572b79fb6908e56ba789b961c45700df76cc33978cdb375a69965d1bfcbace5075aebeb450f2b92fca05ab83f2aa4d6180c50f00fa9

    • SSDEEP

      49152:iHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks