General

  • Target

    2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia

  • Size

    13.8MB

  • Sample

    241104-16ta5s1lbj

  • MD5

    9c51a91c066c0450f73e9094bff5b3d4

  • SHA1

    69443b3cd6392afd4d9abd4191cc83979fbf1cf5

  • SHA256

    1bbf4d3f017661eb57be195c6c53319731eb6c36aee2ddecf39b53ec91bcfdb2

  • SHA512

    2eaabc50c4f270dbd8e9bb93221456fb1270ceda504b127765679eda4403c4c6efae4a18ed79fc1780acc885fd29b5e676479858a3a962a680941f0324fcca84

  • SSDEEP

    49152:AVdrl/8HAzGCbGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG3:AVdrl/9zG

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-11-04_9c51a91c066c0450f73e9094bff5b3d4_mafia

    • Size

      13.8MB

    • MD5

      9c51a91c066c0450f73e9094bff5b3d4

    • SHA1

      69443b3cd6392afd4d9abd4191cc83979fbf1cf5

    • SHA256

      1bbf4d3f017661eb57be195c6c53319731eb6c36aee2ddecf39b53ec91bcfdb2

    • SHA512

      2eaabc50c4f270dbd8e9bb93221456fb1270ceda504b127765679eda4403c4c6efae4a18ed79fc1780acc885fd29b5e676479858a3a962a680941f0324fcca84

    • SSDEEP

      49152:AVdrl/8HAzGCbGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG3:AVdrl/9zG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks