General

  • Target

    2024-12-01_ed275a5b6dba1ca2b37c7eef0adbf16b_karagany_mafia

  • Size

    13.8MB

  • Sample

    241201-3qxpqssrgk

  • MD5

    ed275a5b6dba1ca2b37c7eef0adbf16b

  • SHA1

    49e4329d3162683d2800dea4fd59d0bc6f3acc25

  • SHA256

    15b861ffcc39f198fa8ac6ad669c42761d655e8033c73ebd6a33c5b5d5d82979

  • SHA512

    d00139195a5633db1e818a2a749ca1cbb8e7dfd6cdc1c6a84e8ee1aede9f1a0dccd61394ee6ec397988a95243dc6db74ad74ff2394acae085165b05e067e96a8

  • SSDEEP

    24576:YXzqpE5DpEMMMMMMMb4zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzn:YXPVpEMMMMMMMb

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-12-01_ed275a5b6dba1ca2b37c7eef0adbf16b_karagany_mafia

    • Size

      13.8MB

    • MD5

      ed275a5b6dba1ca2b37c7eef0adbf16b

    • SHA1

      49e4329d3162683d2800dea4fd59d0bc6f3acc25

    • SHA256

      15b861ffcc39f198fa8ac6ad669c42761d655e8033c73ebd6a33c5b5d5d82979

    • SHA512

      d00139195a5633db1e818a2a749ca1cbb8e7dfd6cdc1c6a84e8ee1aede9f1a0dccd61394ee6ec397988a95243dc6db74ad74ff2394acae085165b05e067e96a8

    • SSDEEP

      24576:YXzqpE5DpEMMMMMMMb4zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzn:YXPVpEMMMMMMMb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks