General
-
Target
2025-04-04_3c6b7f9e39a3b566d35f65967f7c76a0_black-basta_luca-stealer
-
Size
14.5MB
-
Sample
250404-enav7ay1hy
-
MD5
3c6b7f9e39a3b566d35f65967f7c76a0
-
SHA1
afc942d25e9e50b659c09acb2e44791b1b7a326c
-
SHA256
1f599c7159a4c57afcc1e115852376aea64faf946cda5bd7580dd0e54517286b
-
SHA512
5ea654503fd93cc90454fadf8334bd6bd5efbc0b98135e533472df678059becde64ac2c6327d16a61f358615d9a8e4188bec8debb83b9f6fdc2898dacd34fabe
-
SSDEEP
49152:t/LuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuO:t
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
2025-04-04_3c6b7f9e39a3b566d35f65967f7c76a0_black-basta_luca-stealer
-
Size
14.5MB
-
MD5
3c6b7f9e39a3b566d35f65967f7c76a0
-
SHA1
afc942d25e9e50b659c09acb2e44791b1b7a326c
-
SHA256
1f599c7159a4c57afcc1e115852376aea64faf946cda5bd7580dd0e54517286b
-
SHA512
5ea654503fd93cc90454fadf8334bd6bd5efbc0b98135e533472df678059becde64ac2c6327d16a61f358615d9a8e4188bec8debb83b9f6fdc2898dacd34fabe
-
SSDEEP
49152:t/LuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuO:t
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1