General

  • Target

    e0a4648b134b1a64ba0c159ed586638e

  • Size

    11.1MB

  • Sample

    240327-dwswasee6v

  • MD5

    e0a4648b134b1a64ba0c159ed586638e

  • SHA1

    fb2182a82428b7888e1d23a0283ff5a4d1b871fd

  • SHA256

    92bfe1ff95da2c913e37d04aaa22073551a472fc05f9604a256f072c27b52ec2

  • SHA512

    deed0014f583fde02b9875855dc533ab30bd467c32acdcfebe87b708ebc278374ff599762a6cff235385abf6a13685933aaa6d4317f58d0708404f7a92d6b52f

  • SSDEEP

    196608:bvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv+:bvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv+

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      e0a4648b134b1a64ba0c159ed586638e

    • Size

      11.1MB

    • MD5

      e0a4648b134b1a64ba0c159ed586638e

    • SHA1

      fb2182a82428b7888e1d23a0283ff5a4d1b871fd

    • SHA256

      92bfe1ff95da2c913e37d04aaa22073551a472fc05f9604a256f072c27b52ec2

    • SHA512

      deed0014f583fde02b9875855dc533ab30bd467c32acdcfebe87b708ebc278374ff599762a6cff235385abf6a13685933aaa6d4317f58d0708404f7a92d6b52f

    • SSDEEP

      196608:bvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv+:bvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv+

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks