General

  • Target

    2024-11-03_3514d0875438dd5682cfe14dd6cd95ec_mafia

  • Size

    10.4MB

  • Sample

    241103-ymbwmsvqgr

  • MD5

    3514d0875438dd5682cfe14dd6cd95ec

  • SHA1

    b69b0f81ffb4d8684e770e80746249042cf7756f

  • SHA256

    7810708f33c355028fb29b32b57474d12daf826b803b471756cb6800f32b7436

  • SHA512

    0387238e6e8c713beb521bd5d58d724d0abfa59e6da4f63483759c0f1799fb362e5b002429d0fd7b201841b6c725c004c339e4086268031997d3c2388e92a762

  • SSDEEP

    49152:1Vdrl/8HAzGCbGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGn:1Vdrl/9zG

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-11-03_3514d0875438dd5682cfe14dd6cd95ec_mafia

    • Size

      10.4MB

    • MD5

      3514d0875438dd5682cfe14dd6cd95ec

    • SHA1

      b69b0f81ffb4d8684e770e80746249042cf7756f

    • SHA256

      7810708f33c355028fb29b32b57474d12daf826b803b471756cb6800f32b7436

    • SHA512

      0387238e6e8c713beb521bd5d58d724d0abfa59e6da4f63483759c0f1799fb362e5b002429d0fd7b201841b6c725c004c339e4086268031997d3c2388e92a762

    • SSDEEP

      49152:1Vdrl/8HAzGCbGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGn:1Vdrl/9zG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks