General

  • Target

    80886a1c834f57b2fb57d166d1b31430.zip

  • Size

    140KB

  • Sample

    240831-sedsdazbmr

  • MD5

    0d773ef6684c5bb5e5acc69cc8fc2b31

  • SHA1

    05157fa306eb6230f6c3649e0c2ce9d420104807

  • SHA256

    a0b7aeeece34b200813eb2cb3e11bf9f6a569de6b393a6486b05f1fafcdc42cb

  • SHA512

    8c0e87f412f63672857de5250535cf2774844b10ef292cf0101ae8e229e1031f6bee34cac39023e8a962957f72f876096f19a6b9dd66c37c39db81e75e7e883c

  • SSDEEP

    3072:ii6Xhaisb7RgLB6/13HHwj53KfaJ/Nd2moh1VbjfTdu8xMn08b9XZ:ii6XhaPqs/ZHHw1SaJ/HoL1duZv

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      9a6b44b5b8536a0cc1a4f7f996ca0ccf0524c591b382a0c1e6be630d172ad009

    • Size

      14.2MB

    • MD5

      80886a1c834f57b2fb57d166d1b31430

    • SHA1

      fe991ee5b5ee0678b4be9bfbbe6bded33041dd2b

    • SHA256

      9a6b44b5b8536a0cc1a4f7f996ca0ccf0524c591b382a0c1e6be630d172ad009

    • SHA512

      4e74a405389201795953be1a2dd8ce399891060da079bd52d23eb7c1340b12b9c49385c4ee0866090558a41548f9383060d4891ef1b8a9b90a98e9e0e8b783dc

    • SSDEEP

      6144:OM0Em6Qk5N3Sccccccccccccccccccccccccccccccccccccccccccccccccccc3:IEma

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks