General
-
Target
2024-11-28_bd0b9ca3ef9979fe7bf7267264ffe05d_karagany_mafia
-
Size
13.0MB
-
Sample
241128-r7d36swpaq
-
MD5
bd0b9ca3ef9979fe7bf7267264ffe05d
-
SHA1
d60a683d1143e12197bc593153480af7a6398de1
-
SHA256
651e2ea48089fe2457bc7d88d4df485139a1277b5cfc9126124caea1ba51520a
-
SHA512
11ac0b1debaf38aee96c49ad16ff75440ebf5636cf0a997dd9654caa62f65d4059921b65b8972231d7ea1171dbc6c677f9c292881a75d77a4691e87b52063f45
-
SSDEEP
6144:eXxZs2EcxJ8GD96ySzTVaFRFX53ncNnUUMMMMMMMMb5:eXzuKJ8GD96ySzTcANnQMMMMMMMb
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
2024-11-28_bd0b9ca3ef9979fe7bf7267264ffe05d_karagany_mafia
-
Size
13.0MB
-
MD5
bd0b9ca3ef9979fe7bf7267264ffe05d
-
SHA1
d60a683d1143e12197bc593153480af7a6398de1
-
SHA256
651e2ea48089fe2457bc7d88d4df485139a1277b5cfc9126124caea1ba51520a
-
SHA512
11ac0b1debaf38aee96c49ad16ff75440ebf5636cf0a997dd9654caa62f65d4059921b65b8972231d7ea1171dbc6c677f9c292881a75d77a4691e87b52063f45
-
SSDEEP
6144:eXxZs2EcxJ8GD96ySzTVaFRFX53ncNnUUMMMMMMMMb5:eXzuKJ8GD96ySzTcANnQMMMMMMMb
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2