General

  • Target

    e2353ed9c7720f67e8b87c586bc44c90

  • Size

    12.0MB

  • Sample

    240327-v32v8ahb32

  • MD5

    e2353ed9c7720f67e8b87c586bc44c90

  • SHA1

    4ffae8ea0b829e27a72122268701dea2ade892d7

  • SHA256

    fe89666f6b4946494f28334fd92fb7a0b2d76f8da171cafa2a2d90d4b418ad19

  • SHA512

    926bc376d45888a4a13a839b03aa72a18b7ce481e9986b963242e562ecbc5d76d8c34d9eb29fe7755549e133e6252b2d724add4dcec28f386d27153365567b09

  • SSDEEP

    98304:zjhd88888888888888888888888888888888888888888888888888888888888c:z

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

lazystax.ru

Targets

    • Target

      e2353ed9c7720f67e8b87c586bc44c90

    • Size

      12.0MB

    • MD5

      e2353ed9c7720f67e8b87c586bc44c90

    • SHA1

      4ffae8ea0b829e27a72122268701dea2ade892d7

    • SHA256

      fe89666f6b4946494f28334fd92fb7a0b2d76f8da171cafa2a2d90d4b418ad19

    • SHA512

      926bc376d45888a4a13a839b03aa72a18b7ce481e9986b963242e562ecbc5d76d8c34d9eb29fe7755549e133e6252b2d724add4dcec28f386d27153365567b09

    • SSDEEP

      98304:zjhd88888888888888888888888888888888888888888888888888888888888c:z

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks