General

  • Target

    2024-12-01_23e9979fbb7f84f4b5d0607fc2d2f028_karagany_mafia

  • Size

    14.1MB

  • Sample

    241201-walh7ssjdm

  • MD5

    23e9979fbb7f84f4b5d0607fc2d2f028

  • SHA1

    79efaf5f89312c8fdd793ec0635c765da9f4fec6

  • SHA256

    b292c25b82bf85d7627703ab0abfb2ca2a101bb947c05971e000f8b4b08ee919

  • SHA512

    beee800d545f040159da76fbcc61837b4f0be48d7aba9559a268e0a6ec2854ca516b679efccb2d5fc12e8b0fec86d19730cf5cb8d7a8026d7e1895dc1d561450

  • SSDEEP

    6144:lyXxZTquqxpXAdbbiFyKq3nUOcWfMMMMMMMbt:lyXzN8pXAdbbyyZtZfMMMMMMMb

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-12-01_23e9979fbb7f84f4b5d0607fc2d2f028_karagany_mafia

    • Size

      14.1MB

    • MD5

      23e9979fbb7f84f4b5d0607fc2d2f028

    • SHA1

      79efaf5f89312c8fdd793ec0635c765da9f4fec6

    • SHA256

      b292c25b82bf85d7627703ab0abfb2ca2a101bb947c05971e000f8b4b08ee919

    • SHA512

      beee800d545f040159da76fbcc61837b4f0be48d7aba9559a268e0a6ec2854ca516b679efccb2d5fc12e8b0fec86d19730cf5cb8d7a8026d7e1895dc1d561450

    • SSDEEP

      6144:lyXxZTquqxpXAdbbiFyKq3nUOcWfMMMMMMMbt:lyXzN8pXAdbbyyZtZfMMMMMMMb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks