tofsee | e7b496e063b128d643db2da1369603b9578fe6e9c1eac173851fc6eada32367c

General

Target

2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe
Size

10.1MB
MD5

7d6f1b4748e144af0c92e4217f914723
SHA1

aa592d916899beed262bfc9a71aeeef0048835c2
SHA256

e7b496e063b128d643db2da1369603b9578fe6e9c1eac173851fc6eada32367c
SHA512

60e5505a06355d76b348f5e78047c6fee8e6a35708ef1da3688231d2fbbfe6360119345fd8cbedb5cd13e8d833caa6558047bf191a1995dd45869586db077d5c
SSDEEP

49152:Hz6yiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiix:Hu

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Tofsee family
tofsee
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5252	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uthyblej\ImagePath = "C:\\Windows\\SysWOW64\\uthyblej\\dxxozizb.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe

Deletes itself 1 IoCs

pid	Process
5412	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4840	dxxozizb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 5412	4840	dxxozizb.exe	112

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4872	sc.exe
4664	sc.exe
4908	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3396	2464	WerFault.exe	86
412	4840	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxxozizb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 5092	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	91
PID 2464 wrote to memory of 5092	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	91
PID 2464 wrote to memory of 5092	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	91
PID 2464 wrote to memory of 4592	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	93
PID 2464 wrote to memory of 4592	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	93
PID 2464 wrote to memory of 4592	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	93
PID 2464 wrote to memory of 4872	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	97
PID 2464 wrote to memory of 4872	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	97
PID 2464 wrote to memory of 4872	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	97
PID 2464 wrote to memory of 4664	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	99
PID 2464 wrote to memory of 4664	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	99
PID 2464 wrote to memory of 4664	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	99
PID 2464 wrote to memory of 4908	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	103
PID 2464 wrote to memory of 4908	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	103
PID 2464 wrote to memory of 4908	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	103
PID 2464 wrote to memory of 5252	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	106
PID 2464 wrote to memory of 5252	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	106
PID 2464 wrote to memory of 5252	2464	2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe	106
PID 4840 wrote to memory of 5412	4840	dxxozizb.exe	112
PID 4840 wrote to memory of 5412	4840	dxxozizb.exe	112
PID 4840 wrote to memory of 5412	4840	dxxozizb.exe	112
PID 4840 wrote to memory of 5412	4840	dxxozizb.exe	112
PID 4840 wrote to memory of 5412	4840	dxxozizb.exe	112

C:\Users\Admin\AppData\Local\Temp\2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uthyblej\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dxxozizb.exe" C:\Windows\SysWOW64\uthyblej\
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4592
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create uthyblej binPath= "C:\Windows\SysWOW64\uthyblej\dxxozizb.exe /d\"C:\Users\Admin\AppData\Local\Temp\2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4872
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description uthyblej "wifi internet conection"
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4664
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start uthyblej
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4908
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1212
  2⤵
  - Program crash
  PID:3396

C:\Windows\SysWOW64\uthyblej\dxxozizb.exe
C:\Windows\SysWOW64\uthyblej\dxxozizb.exe /d"C:\Users\Admin\AppData\Local\Temp\2025-04-04_7d6f1b4748e144af0c92e4217f914723_black-basta_luca-stealer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Sets service image path in registry
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:5412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 556
  2⤵
  - Program crash
  PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2464 -ip 2464
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4840 -ip 4840
1⤵
PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxxozizb.exe

Filesize
13.9MB

MD5
ae7cbd544eee4915cfd3038107281aac

SHA1
bddf27cb225c7e92a50b596946f884d263585f28

SHA256
990aadc63a420b2b037d8af73133afee8ea59715558c4b52864d861f9b3c3839

SHA512
5695ddd495ea9f30f72b64eff95c0b9a1f0d14fdc6425f421f7682c78a69bc65c963cbd7ab909a09dd4cf059ed78cb669c2ecf23f44b4746cd73a4ba9c0784d0

Download Submit
memory/2464-10-0x0000000002AA0000-0x0000000002AB3000-memory.dmp

Filesize
76KB

Download
memory/2464-3-0x0000000002AA0000-0x0000000002AB3000-memory.dmp

Filesize
76KB

Download
memory/2464-4-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2464-2-0x0000000000DB0000-0x0000000000EB0000-memory.dmp

Filesize
1024KB

Download
memory/2464-0-0x0000000000400000-0x0000000000D54000-memory.dmp

Filesize
9.3MB

Download
memory/2464-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2464-11-0x0000000000400000-0x0000000000D54000-memory.dmp

Filesize
9.3MB

Download
memory/4840-8-0x0000000000400000-0x0000000000D54000-memory.dmp

Filesize
9.3MB

Download
memory/4840-18-0x0000000000400000-0x0000000000D54000-memory.dmp

Filesize
9.3MB

Download
memory/5412-14-0x0000000001250000-0x0000000001265000-memory.dmp

Filesize
84KB

Download
memory/5412-16-0x0000000001250000-0x0000000001265000-memory.dmp

Filesize
84KB

Download
memory/5412-17-0x0000000001250000-0x0000000001265000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads