General

  • Target

    2982b7bd416aeb7c2e7e3aa4ae69ce61d8a2c011b1ca91e197f6bd93707bf50a

  • Size

    11.3MB

  • Sample

    240811-y9f4wawgmn

  • MD5

    2fad788c761b7eb8a800cbd64e01d297

  • SHA1

    f24192b49cb577d631647b2f607250f738855aa2

  • SHA256

    2982b7bd416aeb7c2e7e3aa4ae69ce61d8a2c011b1ca91e197f6bd93707bf50a

  • SHA512

    67232df46c66c2a39ca63cd0c2f018149581af626ecd9c13839d1dc987c0c394ac6d1ed0ea962dcc6aa6eeb2ce857ce8fbaef98a5e1d2b0c1834f324e9af804b

  • SSDEEP

    6144:X+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:X+r1IeSXMXc7LlxWV4Ug97GZ+ej

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2982b7bd416aeb7c2e7e3aa4ae69ce61d8a2c011b1ca91e197f6bd93707bf50a

    • Size

      11.3MB

    • MD5

      2fad788c761b7eb8a800cbd64e01d297

    • SHA1

      f24192b49cb577d631647b2f607250f738855aa2

    • SHA256

      2982b7bd416aeb7c2e7e3aa4ae69ce61d8a2c011b1ca91e197f6bd93707bf50a

    • SHA512

      67232df46c66c2a39ca63cd0c2f018149581af626ecd9c13839d1dc987c0c394ac6d1ed0ea962dcc6aa6eeb2ce857ce8fbaef98a5e1d2b0c1834f324e9af804b

    • SSDEEP

      6144:X+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:X+r1IeSXMXc7LlxWV4Ug97GZ+ej

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks