General

  • Target

    2024-11-06_935e2c30c169112205d10b25c338cbc1_mafia

  • Size

    10.0MB

  • Sample

    241106-xpvabswfkn

  • MD5

    935e2c30c169112205d10b25c338cbc1

  • SHA1

    a0cd4f34ed0dbb5d4eb4758f65fab7ae1a0e2ebe

  • SHA256

    ef0cf9c3a7416b9a5547706530960398aa2bc67a2800813458a34680567efe03

  • SHA512

    dc6787fc71daa25628ebb4c956fb4ab90dc9a83d31a1ff8b1526b8300803fbb7852c59383acb5050ce346299b0dbc9719f706fe588f8d62aef811e4bae94eb30

  • SSDEEP

    49152:QVdrl/8HAzGCbGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGu:QVdrl/9zG

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-11-06_935e2c30c169112205d10b25c338cbc1_mafia

    • Size

      10.0MB

    • MD5

      935e2c30c169112205d10b25c338cbc1

    • SHA1

      a0cd4f34ed0dbb5d4eb4758f65fab7ae1a0e2ebe

    • SHA256

      ef0cf9c3a7416b9a5547706530960398aa2bc67a2800813458a34680567efe03

    • SHA512

      dc6787fc71daa25628ebb4c956fb4ab90dc9a83d31a1ff8b1526b8300803fbb7852c59383acb5050ce346299b0dbc9719f706fe588f8d62aef811e4bae94eb30

    • SSDEEP

      49152:QVdrl/8HAzGCbGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGu:QVdrl/9zG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks