General

  • Target

    afac4eb9d79efcd0395d59351bdef0776b852ea337601cfbd9a79da3a1fad6b2.exe

  • Size

    11.7MB

  • Sample

    241120-yskezashnl

  • MD5

    41e5a3e35502d37dbc0bf74651a2ec6c

  • SHA1

    f50ce2fc231fc554a1592af2ca6ac1a8c4918286

  • SHA256

    afac4eb9d79efcd0395d59351bdef0776b852ea337601cfbd9a79da3a1fad6b2

  • SHA512

    0ff1255b91beb2c252a436fdc095cacb5a19c674037457743406024174e841d7285c0aa5abcfd47c7bd21999f313e13343e3675d3ecdbb8f9d760775befd9db9

  • SSDEEP

    49152:Dyn7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7xd:DyB

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      afac4eb9d79efcd0395d59351bdef0776b852ea337601cfbd9a79da3a1fad6b2.exe

    • Size

      11.7MB

    • MD5

      41e5a3e35502d37dbc0bf74651a2ec6c

    • SHA1

      f50ce2fc231fc554a1592af2ca6ac1a8c4918286

    • SHA256

      afac4eb9d79efcd0395d59351bdef0776b852ea337601cfbd9a79da3a1fad6b2

    • SHA512

      0ff1255b91beb2c252a436fdc095cacb5a19c674037457743406024174e841d7285c0aa5abcfd47c7bd21999f313e13343e3675d3ecdbb8f9d760775befd9db9

    • SSDEEP

      49152:Dyn7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7x7xd:DyB

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks