General

  • Target

    dfeea44cc24cf96d91368723c6921b72

  • Size

    14.5MB

  • Sample

    240326-yam35sad58

  • MD5

    dfeea44cc24cf96d91368723c6921b72

  • SHA1

    5faec61a24bd3b66b690fc1428950a4a3b04c8a5

  • SHA256

    b59335a7d1969d4f2ddc5ad5dc569e8578deda189d8b7ae251c8ecfa49343964

  • SHA512

    7a44bb5a32080f310093859ed2032bcd2ba755ffc490c95878a116b36b03d761510395cf88f018263f09329c45c4bf56280f18b259316452ba3328734f5d1021

  • SSDEEP

    6144:H5VCb4QuzFIpIozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz/:Z8NKFIp

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      dfeea44cc24cf96d91368723c6921b72

    • Size

      14.5MB

    • MD5

      dfeea44cc24cf96d91368723c6921b72

    • SHA1

      5faec61a24bd3b66b690fc1428950a4a3b04c8a5

    • SHA256

      b59335a7d1969d4f2ddc5ad5dc569e8578deda189d8b7ae251c8ecfa49343964

    • SHA512

      7a44bb5a32080f310093859ed2032bcd2ba755ffc490c95878a116b36b03d761510395cf88f018263f09329c45c4bf56280f18b259316452ba3328734f5d1021

    • SSDEEP

      6144:H5VCb4QuzFIpIozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz/:Z8NKFIp

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks