General

  • Target

    e06ae8f7d80ef958686b2378d3936803

  • Size

    11.8MB

  • Sample

    240327-bk4sbabf81

  • MD5

    e06ae8f7d80ef958686b2378d3936803

  • SHA1

    e09cc994f9c6a81600bcf4465d21ca2922c5d368

  • SHA256

    0b971b889d6ff55f096419e35a24a5560f5085f2cba575d60e4629a51b8fa776

  • SHA512

    482b3c4a83e57949a9f583f8b99f56c6046938487dc25507fe53feae6ab490872684ae838116966b76483166d161b74cc5357c8604b3a8e41f5c93db1ae3fd62

  • SSDEEP

    49152:ogntttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt9:o

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      e06ae8f7d80ef958686b2378d3936803

    • Size

      11.8MB

    • MD5

      e06ae8f7d80ef958686b2378d3936803

    • SHA1

      e09cc994f9c6a81600bcf4465d21ca2922c5d368

    • SHA256

      0b971b889d6ff55f096419e35a24a5560f5085f2cba575d60e4629a51b8fa776

    • SHA512

      482b3c4a83e57949a9f583f8b99f56c6046938487dc25507fe53feae6ab490872684ae838116966b76483166d161b74cc5357c8604b3a8e41f5c93db1ae3fd62

    • SSDEEP

      49152:ogntttttttttttttttttttttttttttttttttttttttttttttttttttttttttttt9:o

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks