General

  • Target

    e0c9f5dc207b174eb23d686e21c8b25f

  • Size

    14.3MB

  • Sample

    240327-e8p6lsch59

  • MD5

    e0c9f5dc207b174eb23d686e21c8b25f

  • SHA1

    ded14e721ed10d6b5b73cf0825452bad6cb022c6

  • SHA256

    0674a89e93a01682da529ee237d2029c9e18dbbe4414d6e1b66e3fa83b67415e

  • SHA512

    c7ceb2d0011659dae8a9953d4a2ed51cf104faec760fe9278325df24efc7c91cbb3c946e6fb066362d41eb9aa052400537781d1a87b56149297e19dcfc1a0f96

  • SSDEEP

    49152:T3Skkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk3:T3

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

    • Target

      e0c9f5dc207b174eb23d686e21c8b25f

    • Size

      14.3MB

    • MD5

      e0c9f5dc207b174eb23d686e21c8b25f

    • SHA1

      ded14e721ed10d6b5b73cf0825452bad6cb022c6

    • SHA256

      0674a89e93a01682da529ee237d2029c9e18dbbe4414d6e1b66e3fa83b67415e

    • SHA512

      c7ceb2d0011659dae8a9953d4a2ed51cf104faec760fe9278325df24efc7c91cbb3c946e6fb066362d41eb9aa052400537781d1a87b56149297e19dcfc1a0f96

    • SSDEEP

      49152:T3Skkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk3:T3

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks