General

  • Target

    e1575762bbcd444066e98b182b336b46

  • Size

    11.0MB

  • Sample

    240327-lg3qyscd6z

  • MD5

    e1575762bbcd444066e98b182b336b46

  • SHA1

    a617290181f0aa49c8b3ad54eba3034e2e43e7b9

  • SHA256

    54eb4e029d1781a122e4ee76d2339fddc54a887ab2f08d10dab27091e4188ca2

  • SHA512

    7b08b9f88b2436079ab2280046ca2b4d5e32830e2cca284013074c6bea240d5b96e30cad4445910e9430ba1bc15d173e24a43481a618b5964ecec69ed4c603ea

  • SSDEEP

    6144:WJuDszifRNFwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww/:kubf7

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      e1575762bbcd444066e98b182b336b46

    • Size

      11.0MB

    • MD5

      e1575762bbcd444066e98b182b336b46

    • SHA1

      a617290181f0aa49c8b3ad54eba3034e2e43e7b9

    • SHA256

      54eb4e029d1781a122e4ee76d2339fddc54a887ab2f08d10dab27091e4188ca2

    • SHA512

      7b08b9f88b2436079ab2280046ca2b4d5e32830e2cca284013074c6bea240d5b96e30cad4445910e9430ba1bc15d173e24a43481a618b5964ecec69ed4c603ea

    • SSDEEP

      6144:WJuDszifRNFwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww/:kubf7

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks