General

  • Target

    2024-08-11_0ed142ab9b8545b06b4e583aa04cf2cc_mafia

  • Size

    14.4MB

  • Sample

    240811-y52j1sweqj

  • MD5

    0ed142ab9b8545b06b4e583aa04cf2cc

  • SHA1

    5ae9ff4a51653ffcd6a03291cf8c9ec4f1079a83

  • SHA256

    b0062719e56c9361cd297f4ad53b3a874916c9022fd2f0e927ca4d9bd6dfa836

  • SHA512

    d76f303ed8fd9c9a8ac5416748da4ba3270fd53a8165b94c54227105af1657ed34b1721bb5690e452f61d9af80f4cc6763817ce5b29b0a18b9f2e2e9ad016aab

  • SSDEEP

    6144:2+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:2+r1IeSXMXc7LlxWV4Ug97GZ+ej

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-08-11_0ed142ab9b8545b06b4e583aa04cf2cc_mafia

    • Size

      14.4MB

    • MD5

      0ed142ab9b8545b06b4e583aa04cf2cc

    • SHA1

      5ae9ff4a51653ffcd6a03291cf8c9ec4f1079a83

    • SHA256

      b0062719e56c9361cd297f4ad53b3a874916c9022fd2f0e927ca4d9bd6dfa836

    • SHA512

      d76f303ed8fd9c9a8ac5416748da4ba3270fd53a8165b94c54227105af1657ed34b1721bb5690e452f61d9af80f4cc6763817ce5b29b0a18b9f2e2e9ad016aab

    • SSDEEP

      6144:2+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:2+r1IeSXMXc7LlxWV4Ug97GZ+ej

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks