General

  • Target

    2024-08-12_8929641a4743a1f31d61b709b21546bb_mafia

  • Size

    13.0MB

  • Sample

    240812-xdrp3atgpl

  • MD5

    8929641a4743a1f31d61b709b21546bb

  • SHA1

    abd8b99e50250231c71a0db3fe6ea06fb71a9dae

  • SHA256

    05d931b26f278c005dfa314ee8bc1255c686090b1cf4b221c807033405acca08

  • SHA512

    197dbf29c1bad7308aa7838efefcfdbc6097fbe68d7fb59fa64b9230fb7f5a7ec208f9b9ab4058b029406edd332f8a8c45087f128d02341e4098b9ac1da7ecb3

  • SSDEEP

    6144:6+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:6+r1IeSXMXc7LlxWV4Ug97GZ+ej

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-08-12_8929641a4743a1f31d61b709b21546bb_mafia

    • Size

      13.0MB

    • MD5

      8929641a4743a1f31d61b709b21546bb

    • SHA1

      abd8b99e50250231c71a0db3fe6ea06fb71a9dae

    • SHA256

      05d931b26f278c005dfa314ee8bc1255c686090b1cf4b221c807033405acca08

    • SHA512

      197dbf29c1bad7308aa7838efefcfdbc6097fbe68d7fb59fa64b9230fb7f5a7ec208f9b9ab4058b029406edd332f8a8c45087f128d02341e4098b9ac1da7ecb3

    • SSDEEP

      6144:6+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:6+r1IeSXMXc7LlxWV4Ug97GZ+ej

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks