General

  • Target

    e1776531831204cab6bd4c517ad21dee

  • Size

    13.1MB

  • Sample

    240327-mp763sdd7s

  • MD5

    e1776531831204cab6bd4c517ad21dee

  • SHA1

    2d0b275be0ad6c46a34cdf749d28115174ec88de

  • SHA256

    4dfe9cdc08b10ced345930a622f7ff0ad8fbdc3b7672996b72fe5ab3b95e9285

  • SHA512

    9362a982631bf219b4e3ac0caa25ff2eca386b04a8f733b4c343c3062e4a89c5e5a6fe979b628296db3de06f1beb8281fa34362ae275070794fd7d52fc10ce93

  • SSDEEP

    6144:n2BxZXDssssssssssssssssssssssssssssssssssssssssssssssssssssssssU:n4V

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      e1776531831204cab6bd4c517ad21dee

    • Size

      13.1MB

    • MD5

      e1776531831204cab6bd4c517ad21dee

    • SHA1

      2d0b275be0ad6c46a34cdf749d28115174ec88de

    • SHA256

      4dfe9cdc08b10ced345930a622f7ff0ad8fbdc3b7672996b72fe5ab3b95e9285

    • SHA512

      9362a982631bf219b4e3ac0caa25ff2eca386b04a8f733b4c343c3062e4a89c5e5a6fe979b628296db3de06f1beb8281fa34362ae275070794fd7d52fc10ce93

    • SSDEEP

      6144:n2BxZXDssssssssssssssssssssssssssssssssssssssssssssssssssssssssU:n4V

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks