General

  • Target

    588e82d016cf820981a0ff1bc1063ebdacc6918051d5855756d4f141ebc9f48c.exe

  • Size

    12.6MB

  • Sample

    241123-rxhnlswpgx

  • MD5

    0c4b956df94e7fa77967043428ee105d

  • SHA1

    7ec22983461cd45e2fba80b561b9006fd5e012be

  • SHA256

    588e82d016cf820981a0ff1bc1063ebdacc6918051d5855756d4f141ebc9f48c

  • SHA512

    1d0b850ec7273459e454b24ca3ead47d36a270762cc7a348f15df73b63d31390f795e9283e84b401148515ad2404e53993221fee92cf4ca0cd851638e054b18e

  • SSDEEP

    393216:fH2222222222222222222222222222222222222222222222222222222222222h:v222222222222222222222222222222G

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      588e82d016cf820981a0ff1bc1063ebdacc6918051d5855756d4f141ebc9f48c.exe

    • Size

      12.6MB

    • MD5

      0c4b956df94e7fa77967043428ee105d

    • SHA1

      7ec22983461cd45e2fba80b561b9006fd5e012be

    • SHA256

      588e82d016cf820981a0ff1bc1063ebdacc6918051d5855756d4f141ebc9f48c

    • SHA512

      1d0b850ec7273459e454b24ca3ead47d36a270762cc7a348f15df73b63d31390f795e9283e84b401148515ad2404e53993221fee92cf4ca0cd851638e054b18e

    • SSDEEP

      393216:fH2222222222222222222222222222222222222222222222222222222222222h:v222222222222222222222222222222G

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks