General

  • Target

    e14fb56de5ea21ac4b4e5485529e6a83

  • Size

    14.8MB

  • Sample

    240327-k77bdscb7w

  • MD5

    e14fb56de5ea21ac4b4e5485529e6a83

  • SHA1

    5cbb499ba62ba7dd93cbd7b17dc46771171b5c3e

  • SHA256

    2128702918131aaeff3660753c5a6fb7cc0dd49d9bcf3887a5b09776682df0cf

  • SHA512

    4d0145e9b7224f675c856285e6835494604a6753958298c1a125da0b09429dbdaab1816602cf362df279a0f5d60ee132527f92e33b12b5322cfd91567e43599f

  • SSDEEP

    98304:/jhd88888888888888888888888888888888888888888888888888888888888Q:/

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Targets

    • Target

      e14fb56de5ea21ac4b4e5485529e6a83

    • Size

      14.8MB

    • MD5

      e14fb56de5ea21ac4b4e5485529e6a83

    • SHA1

      5cbb499ba62ba7dd93cbd7b17dc46771171b5c3e

    • SHA256

      2128702918131aaeff3660753c5a6fb7cc0dd49d9bcf3887a5b09776682df0cf

    • SHA512

      4d0145e9b7224f675c856285e6835494604a6753958298c1a125da0b09429dbdaab1816602cf362df279a0f5d60ee132527f92e33b12b5322cfd91567e43599f

    • SSDEEP

      98304:/jhd88888888888888888888888888888888888888888888888888888888888Q:/

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks