General

  • Target

    2024-12-01_8771bbe1870e3f195a9799d11d221dcc_karagany_mafia

  • Size

    13.3MB

  • Sample

    241201-wcz5dasjhq

  • MD5

    8771bbe1870e3f195a9799d11d221dcc

  • SHA1

    5ed9ae508451faa8f2c5dd3b9d7922a8ba27a74a

  • SHA256

    d08f945304cbef1bc7e9b380f7321b692fd50fede584fbfc0829c13ae2eaedcc

  • SHA512

    2d75d2ec904cc69bc46d1d096f8ca7accfa264f776f7358825e9921a26e36e2067c7d09b8e5a9a17bfe4785a00b1f7649295def0ae50d82685ca5be0092c505a

  • SSDEEP

    6144:+yXxZTquqxpXAdbbiFyKq3nUOcWfMMMMMMMbt:+yXzN8pXAdbbyyZtZfMMMMMMMb

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-12-01_8771bbe1870e3f195a9799d11d221dcc_karagany_mafia

    • Size

      13.3MB

    • MD5

      8771bbe1870e3f195a9799d11d221dcc

    • SHA1

      5ed9ae508451faa8f2c5dd3b9d7922a8ba27a74a

    • SHA256

      d08f945304cbef1bc7e9b380f7321b692fd50fede584fbfc0829c13ae2eaedcc

    • SHA512

      2d75d2ec904cc69bc46d1d096f8ca7accfa264f776f7358825e9921a26e36e2067c7d09b8e5a9a17bfe4785a00b1f7649295def0ae50d82685ca5be0092c505a

    • SSDEEP

      6144:+yXxZTquqxpXAdbbiFyKq3nUOcWfMMMMMMMbt:+yXzN8pXAdbbyyZtZfMMMMMMMb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks