General

  • Target

    76ede4f29dbd8a75b643e46cabd369ac888b8012630b8b244e08e0baac8535e6.zip

  • Size

    105KB

  • Sample

    240706-qp34xayfjn

  • MD5

    78040c6f58b5477433f5686fc36a3fc5

  • SHA1

    08ab725e3abdb3967d2b6034bbd0b2e12168a5fe

  • SHA256

    6a894de8a5d3285bbefc44ddf433b6a57b6199e649263204eed0d928de401ce2

  • SHA512

    b64cbf0c9a3a8f70953daa5af2feb28b65c15320c005c426fa5023e505c49362b70085f5ce331cd6f5f888129fd41fc2dc3a0609f6284dcaf4405bef6f1ab927

  • SSDEEP

    3072:LmCePnwEtOnRRo4sh80QPoNR5qpe9ZLsny:LTGQRRo5haSR0w7Qy

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      76ede4f29dbd8a75b643e46cabd369ac888b8012630b8b244e08e0baac8535e6

    • Size

      10.3MB

    • MD5

      81f79ce05d962b7d8b0d4977aead32df

    • SHA1

      e24b156a6ab8da34f07f67256cfacf1495a5eaec

    • SHA256

      76ede4f29dbd8a75b643e46cabd369ac888b8012630b8b244e08e0baac8535e6

    • SHA512

      710719709d2a5b78b862981cc186b2b8ad7d0654f000e5af41ad7a61af438f3be4ac8cd752740fd4ccb1bf146cf1975beb00aadd921054ce367ee87db099c0b1

    • SSDEEP

      6144:+5VCb4QuzF2tpIozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7:48NKF6p

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks