General

  • Target

    2024-08-13_c8bb3c0325deb3428a7925dbf0955166_mafia

  • Size

    14.1MB

  • Sample

    240813-xm2xdsvgqr

  • MD5

    c8bb3c0325deb3428a7925dbf0955166

  • SHA1

    868102a95a7d821930d5d5cd33e43ac19416fce7

  • SHA256

    04805b65fee518c0ea9132b20076a6023216a8896810d99ed1e239f494052641

  • SHA512

    0010eafd1a6f74284a706f7ae1a81ce1734f8cc8e4759d2ee144a16d2a31d429fbeb45919ed479f8e7d527a85895e0559b158ed952fe5e2da86dd2ab878091cc

  • SSDEEP

    6144:m+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:m+r1IeSXMXc7LlxWV4Ug97GZ+ej

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-08-13_c8bb3c0325deb3428a7925dbf0955166_mafia

    • Size

      14.1MB

    • MD5

      c8bb3c0325deb3428a7925dbf0955166

    • SHA1

      868102a95a7d821930d5d5cd33e43ac19416fce7

    • SHA256

      04805b65fee518c0ea9132b20076a6023216a8896810d99ed1e239f494052641

    • SHA512

      0010eafd1a6f74284a706f7ae1a81ce1734f8cc8e4759d2ee144a16d2a31d429fbeb45919ed479f8e7d527a85895e0559b158ed952fe5e2da86dd2ab878091cc

    • SSDEEP

      6144:m+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:m+r1IeSXMXc7LlxWV4Ug97GZ+ej

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks