General

  • Target

    ddcf1f17e569b28ee27156f4c621c9ef

  • Size

    14.5MB

  • Sample

    240325-mpejrsdc96

  • MD5

    ddcf1f17e569b28ee27156f4c621c9ef

  • SHA1

    64df0f4a22686ae171cec69ffcb26d838774636a

  • SHA256

    62ff39770135a892a92e42031dda9eb1341b73ac0edc99b7d8edd8018e00e25a

  • SHA512

    fa7b2e3fb7efbf4979b3753f4cf65cdd034bee3f775ef602028a4485d034c38b419ed33224f290a3df4fb5b5ccc0df90f2d859af9d14a669bff0aa6db38a97d1

  • SSDEEP

    98304:bjhd88888888888888888888888888888888888888888888888888888888888z:b

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Targets

    • Target

      ddcf1f17e569b28ee27156f4c621c9ef

    • Size

      14.5MB

    • MD5

      ddcf1f17e569b28ee27156f4c621c9ef

    • SHA1

      64df0f4a22686ae171cec69ffcb26d838774636a

    • SHA256

      62ff39770135a892a92e42031dda9eb1341b73ac0edc99b7d8edd8018e00e25a

    • SHA512

      fa7b2e3fb7efbf4979b3753f4cf65cdd034bee3f775ef602028a4485d034c38b419ed33224f290a3df4fb5b5ccc0df90f2d859af9d14a669bff0aa6db38a97d1

    • SSDEEP

      98304:bjhd88888888888888888888888888888888888888888888888888888888888z:b

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks