General

  • Target

    e11b18ff74afa251a61e5ccc88ee23b1

  • Size

    10.8MB

  • Sample

    240327-h7139sfc88

  • MD5

    e11b18ff74afa251a61e5ccc88ee23b1

  • SHA1

    6ae4d790222e70caaad62a21537a4ef2f204d0bd

  • SHA256

    9df396a0dfe7ab93ee714f1ff1cab9307879eb4418fbd11d2a2bd0e13a7bc68f

  • SHA512

    0aaa6570f9059d0323810100cdfb121084b58745b4ea9897ad2ed0af35ac40d5d03994d22ec9102a00192d53d37e5bd76f6d9534dfb60de00f29db961910d24d

  • SSDEEP

    49152:2j5555555555555555555555555555555555555555555555555555555555555F:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      e11b18ff74afa251a61e5ccc88ee23b1

    • Size

      10.8MB

    • MD5

      e11b18ff74afa251a61e5ccc88ee23b1

    • SHA1

      6ae4d790222e70caaad62a21537a4ef2f204d0bd

    • SHA256

      9df396a0dfe7ab93ee714f1ff1cab9307879eb4418fbd11d2a2bd0e13a7bc68f

    • SHA512

      0aaa6570f9059d0323810100cdfb121084b58745b4ea9897ad2ed0af35ac40d5d03994d22ec9102a00192d53d37e5bd76f6d9534dfb60de00f29db961910d24d

    • SSDEEP

      49152:2j5555555555555555555555555555555555555555555555555555555555555F:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks