General
-
Target
76ede4f29dbd8a75b643e46cabd369ac888b8012630b8b244e08e0baac8535e6.zip
-
Size
105KB
-
Sample
240706-qp34xayfjn
-
MD5
78040c6f58b5477433f5686fc36a3fc5
-
SHA1
08ab725e3abdb3967d2b6034bbd0b2e12168a5fe
-
SHA256
6a894de8a5d3285bbefc44ddf433b6a57b6199e649263204eed0d928de401ce2
-
SHA512
b64cbf0c9a3a8f70953daa5af2feb28b65c15320c005c426fa5023e505c49362b70085f5ce331cd6f5f888129fd41fc2dc3a0609f6284dcaf4405bef6f1ab927
-
SSDEEP
3072:LmCePnwEtOnRRo4sh80QPoNR5qpe9ZLsny:LTGQRRo5haSR0w7Qy
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
76ede4f29dbd8a75b643e46cabd369ac888b8012630b8b244e08e0baac8535e6
-
Size
10.3MB
-
MD5
81f79ce05d962b7d8b0d4977aead32df
-
SHA1
e24b156a6ab8da34f07f67256cfacf1495a5eaec
-
SHA256
76ede4f29dbd8a75b643e46cabd369ac888b8012630b8b244e08e0baac8535e6
-
SHA512
710719709d2a5b78b862981cc186b2b8ad7d0654f000e5af41ad7a61af438f3be4ac8cd752740fd4ccb1bf146cf1975beb00aadd921054ce367ee87db099c0b1
-
SSDEEP
6144:+5VCb4QuzF2tpIozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz7:48NKF6p
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1