General

  • Target

    e13dccc93268b6ecfa5ec147bc81de7e

  • Size

    10.1MB

  • Sample

    240327-khk2vsge34

  • MD5

    e13dccc93268b6ecfa5ec147bc81de7e

  • SHA1

    af120c84e56bcc74a3b93be96f76cc40804ca701

  • SHA256

    bab713fc344881c8e7a7b30a23b43fc8a2b0d21039b36c1691874d35a30dc24d

  • SHA512

    c26a7b4f05fe681d39be48c35d65a6956aa4b4a47e4ce03cb40da7de3726ab00bf66bcfc0b7996c86dfd1c99fb1b90ebb1f8f04d3cd83ec54b0e80a569aaf69f

  • SSDEEP

    49152:31yvllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll:3A

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      e13dccc93268b6ecfa5ec147bc81de7e

    • Size

      10.1MB

    • MD5

      e13dccc93268b6ecfa5ec147bc81de7e

    • SHA1

      af120c84e56bcc74a3b93be96f76cc40804ca701

    • SHA256

      bab713fc344881c8e7a7b30a23b43fc8a2b0d21039b36c1691874d35a30dc24d

    • SHA512

      c26a7b4f05fe681d39be48c35d65a6956aa4b4a47e4ce03cb40da7de3726ab00bf66bcfc0b7996c86dfd1c99fb1b90ebb1f8f04d3cd83ec54b0e80a569aaf69f

    • SSDEEP

      49152:31yvllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll:3A

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks