General

  • Target

    e12a319c194221f33e2b5bb5d18b3879

  • Size

    13.3MB

  • Sample

    240327-jsegdsfh36

  • MD5

    e12a319c194221f33e2b5bb5d18b3879

  • SHA1

    f6fc0dc98b173a7440c99af835e5a208e4af02df

  • SHA256

    2125d69f164ddcd2f45cf7df8ccb0c42f1fd2ece783dbed163eccbde5fa0f7da

  • SHA512

    9d8391c2bd321f35ccacaff7a2a80c7f4ebd1957d20e0c781ab88b31ce403b9a6002e333674feb8c7e2fdd761e098a686a879196b99346bba4e475e6c07d8534

  • SSDEEP

    24576:Il3YWRibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbX:

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      e12a319c194221f33e2b5bb5d18b3879

    • Size

      13.3MB

    • MD5

      e12a319c194221f33e2b5bb5d18b3879

    • SHA1

      f6fc0dc98b173a7440c99af835e5a208e4af02df

    • SHA256

      2125d69f164ddcd2f45cf7df8ccb0c42f1fd2ece783dbed163eccbde5fa0f7da

    • SHA512

      9d8391c2bd321f35ccacaff7a2a80c7f4ebd1957d20e0c781ab88b31ce403b9a6002e333674feb8c7e2fdd761e098a686a879196b99346bba4e475e6c07d8534

    • SSDEEP

      24576:Il3YWRibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbX:

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks