General

  • Target

    2024-11-03_7805744de467df9742263b9b6bad88db_mafia

  • Size

    13.2MB

  • Sample

    241103-lzkm4a1enb

  • MD5

    7805744de467df9742263b9b6bad88db

  • SHA1

    f65a57962202de0ab0264ea1c5d5193a2f4bd349

  • SHA256

    dce5b9da95d9d01aa4be5091d9cdcc52456d04f5e52385b79bc7887410eeea7e

  • SHA512

    b15550cc947017eec88d2fb8ad96fed34f48fd998dca4c7f5efbc789889aefb78264908e054a35b63d47d9c3e6eb2eee2fb7e9e41bf7fb5c5af20f0a9d84298e

  • SSDEEP

    196608:H3aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+:H

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-11-03_7805744de467df9742263b9b6bad88db_mafia

    • Size

      13.2MB

    • MD5

      7805744de467df9742263b9b6bad88db

    • SHA1

      f65a57962202de0ab0264ea1c5d5193a2f4bd349

    • SHA256

      dce5b9da95d9d01aa4be5091d9cdcc52456d04f5e52385b79bc7887410eeea7e

    • SHA512

      b15550cc947017eec88d2fb8ad96fed34f48fd998dca4c7f5efbc789889aefb78264908e054a35b63d47d9c3e6eb2eee2fb7e9e41bf7fb5c5af20f0a9d84298e

    • SSDEEP

      196608:H3aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+:H

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks