General

  • Target

    2024-12-01_44fa99d7aeb4ab3d8be4d018239719f7_karagany_mafia

  • Size

    13.7MB

  • Sample

    241201-2228xs1pfl

  • MD5

    44fa99d7aeb4ab3d8be4d018239719f7

  • SHA1

    f19699efd23cf3fdf1ebdefc680a5b7927bf5f2d

  • SHA256

    f3a8c2d16920ba9ddd77b50a952d68c13c62b4eecc0a98c852c4b09527e2f648

  • SHA512

    d5377d7fb5a9e556e499604b20b3d3512ead3dbffca557efca1ff2721c68f9a625431557e143e4213b0ae8130f899a4f67ff2537b547641dc4e789fd82fcbc67

  • SSDEEP

    24576:MXzqpE5DpEMMMMMMMb4zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:MXPVpEMMMMMMMb

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-12-01_44fa99d7aeb4ab3d8be4d018239719f7_karagany_mafia

    • Size

      13.7MB

    • MD5

      44fa99d7aeb4ab3d8be4d018239719f7

    • SHA1

      f19699efd23cf3fdf1ebdefc680a5b7927bf5f2d

    • SHA256

      f3a8c2d16920ba9ddd77b50a952d68c13c62b4eecc0a98c852c4b09527e2f648

    • SHA512

      d5377d7fb5a9e556e499604b20b3d3512ead3dbffca557efca1ff2721c68f9a625431557e143e4213b0ae8130f899a4f67ff2537b547641dc4e789fd82fcbc67

    • SSDEEP

      24576:MXzqpE5DpEMMMMMMMb4zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:MXPVpEMMMMMMMb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks