General

  • Target

    202409242fed4f867f1b3b5a3f1fe632c09160f0mafia

  • Size

    14.8MB

  • Sample

    240924-vtp53aycke

  • MD5

    2fed4f867f1b3b5a3f1fe632c09160f0

  • SHA1

    b5209a5cfc4f2ebe1a39041675c7d985fc4dbbea

  • SHA256

    d964d79c457a25804009d5d23d8a4552b08baefb122eeb64a2514e169f7eadfa

  • SHA512

    74809b8a70806be6df304181ce9dd3762203cfcc7eb34d13d4a9fae334f860d887184eabab4343ecfbf738c18ea4a409c7c148b398b15b9985a5db8abef01b7c

  • SSDEEP

    6144:7+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:7+r1IeSXMXc7LlxWV4Ug97GZ+ej

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      202409242fed4f867f1b3b5a3f1fe632c09160f0mafia

    • Size

      14.8MB

    • MD5

      2fed4f867f1b3b5a3f1fe632c09160f0

    • SHA1

      b5209a5cfc4f2ebe1a39041675c7d985fc4dbbea

    • SHA256

      d964d79c457a25804009d5d23d8a4552b08baefb122eeb64a2514e169f7eadfa

    • SHA512

      74809b8a70806be6df304181ce9dd3762203cfcc7eb34d13d4a9fae334f860d887184eabab4343ecfbf738c18ea4a409c7c148b398b15b9985a5db8abef01b7c

    • SSDEEP

      6144:7+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:7+r1IeSXMXc7LlxWV4Ug97GZ+ej

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks