General
-
Target
2024-08-15_0b5830fc403efacf6492e62588fe2e3a_mafia
-
Size
10.0MB
-
Sample
240815-r4x2wa1gpm
-
MD5
0b5830fc403efacf6492e62588fe2e3a
-
SHA1
fdeb8f8b9cea48693c2cbdd08cb04e9ef90c5a8d
-
SHA256
895e58e998394c5bad05cea208855f3ec100bbe82128cf9dc8aedd9dfa1a6be2
-
SHA512
a66b328c757b52302a8bddbaa4c26dbbb5a272e128a97db7f5aff9d6e83450fe3f6329f9d57e30324cdefdc53382d7ea7f0826308bea9dc58189fc6a4c792052
-
SSDEEP
6144:W+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:W+r1IeSXMXc7LlxWV4Ug97GZ+ej
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
2024-08-15_0b5830fc403efacf6492e62588fe2e3a_mafia
-
Size
10.0MB
-
MD5
0b5830fc403efacf6492e62588fe2e3a
-
SHA1
fdeb8f8b9cea48693c2cbdd08cb04e9ef90c5a8d
-
SHA256
895e58e998394c5bad05cea208855f3ec100bbe82128cf9dc8aedd9dfa1a6be2
-
SHA512
a66b328c757b52302a8bddbaa4c26dbbb5a272e128a97db7f5aff9d6e83450fe3f6329f9d57e30324cdefdc53382d7ea7f0826308bea9dc58189fc6a4c792052
-
SSDEEP
6144:W+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:W+r1IeSXMXc7LlxWV4Ug97GZ+ej
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2