General

  • Target

    82a7c81b43a959017a8d6ed01d86bc32ef53f4b57d36bd8791afdbd5ef8420c7

  • Size

    5.9MB

  • Sample

    240831-ghfwcsyeld

  • MD5

    3e8e77ee19add4e377e5c0e8bfc0bea5

  • SHA1

    29ba4219bd20a0b91cd5e76944816dcf91b1e1b9

  • SHA256

    82a7c81b43a959017a8d6ed01d86bc32ef53f4b57d36bd8791afdbd5ef8420c7

  • SHA512

    b2909c172726dc86eb50dd5ce1befecb359421d378c2d802f631dd24fe77f91c69b187de5181553c6f086a4b18b7cad0d48383f8894e8e413334ae4255c8962f

  • SSDEEP

    98304:OHy3Vpqrbf81zZvSfRyGxxLXgZ84y1YB58U3czLEjFZ0ScqNnR2nzID6WvVso/Go:JFsrbfQd6J/LQZ8XYX8U3cpqnR2zIeWP

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      00a7fe01857f4c5a118c936b5573b4c2755c8369534870394c3d61a5af058bcc

    • Size

      11.2MB

    • MD5

      6673656f0eea34edbe311046d2525113

    • SHA1

      d94411ba9cec4a38a2f2ddf11df6f2e27eb5cbfd

    • SHA256

      00a7fe01857f4c5a118c936b5573b4c2755c8369534870394c3d61a5af058bcc

    • SHA512

      f321489b42db6d062837414749adaefffeb87703f937b8ebb1e27a670cae75128af278222284b8bd72d26828535b1683d821e97b721d110b971d183312f37a01

    • SSDEEP

      12288:ozZd0++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/:ozZ

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks