General
-
Target
2024-09-21_857c95c3ee1e86954bfbfc7e4d871caa_mafia
-
Size
11.3MB
-
Sample
240921-g8rqjsygqk
-
MD5
857c95c3ee1e86954bfbfc7e4d871caa
-
SHA1
c8fcaceb46e37f229eb099064af340e1ebdda13a
-
SHA256
6f5cadfef60d9b5e9ad27f6135b19280b0a4ffd8d07bf2f0a91314755659066b
-
SHA512
ff5c7fcbfa3c4f0ad38a3dcadfd58441b2afc678a0459a876ec7a087af639bad9a02f5fd50dd07bf5b506b18ccf215017c23fd6643614ac906f2cd049793ac77
-
SSDEEP
12288:1Vbj7zJB99tzBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBh:1JzXd
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
2024-09-21_857c95c3ee1e86954bfbfc7e4d871caa_mafia
-
Size
11.3MB
-
MD5
857c95c3ee1e86954bfbfc7e4d871caa
-
SHA1
c8fcaceb46e37f229eb099064af340e1ebdda13a
-
SHA256
6f5cadfef60d9b5e9ad27f6135b19280b0a4ffd8d07bf2f0a91314755659066b
-
SHA512
ff5c7fcbfa3c4f0ad38a3dcadfd58441b2afc678a0459a876ec7a087af639bad9a02f5fd50dd07bf5b506b18ccf215017c23fd6643614ac906f2cd049793ac77
-
SSDEEP
12288:1Vbj7zJB99tzBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBh:1JzXd
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2