General

  • Target

    2024-08-25_1a50f107e046ddff86ea9ccb7ea61495_mafia

  • Size

    12.9MB

  • Sample

    240825-1axnpawbrd

  • MD5

    1a50f107e046ddff86ea9ccb7ea61495

  • SHA1

    274c864256fc81e900541df30e4d3ff5d6c511b4

  • SHA256

    39102efc9b46dd7fbee596fc412478562c287cd893ffc376427178a3ed157274

  • SHA512

    6c0a4534edf9ba41539f622f9dca6085da10678cd58415d747bd1ba96507a8910e2833bb67f701e4bd611af49e4e53c56e69bff3667cb36e6a347cf3c4699bfe

  • SSDEEP

    6144:u+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:u+r1IeSXMXc7LlxWV4Ug97GZ+ej

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-08-25_1a50f107e046ddff86ea9ccb7ea61495_mafia

    • Size

      12.9MB

    • MD5

      1a50f107e046ddff86ea9ccb7ea61495

    • SHA1

      274c864256fc81e900541df30e4d3ff5d6c511b4

    • SHA256

      39102efc9b46dd7fbee596fc412478562c287cd893ffc376427178a3ed157274

    • SHA512

      6c0a4534edf9ba41539f622f9dca6085da10678cd58415d747bd1ba96507a8910e2833bb67f701e4bd611af49e4e53c56e69bff3667cb36e6a347cf3c4699bfe

    • SSDEEP

      6144:u+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:u+r1IeSXMXc7LlxWV4Ug97GZ+ej

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks