General

  • Target

    2024-12-01_8f03907ba4f5beb91afca249985588b5_karagany_mafia

  • Size

    14.5MB

  • Sample

    241201-weksgaskcm

  • MD5

    8f03907ba4f5beb91afca249985588b5

  • SHA1

    285442119288693a48d49fac770b5fd1463bf9b0

  • SHA256

    a36378ea861fc985ea84824587384cd4da4c8c3bfa348ef21675c6062558198e

  • SHA512

    6cd27e000c15464c3d0b34ba8f0f3277dd7e9dc0840e95a4c55e5853f243b2cb40e2f19a8efe248b4a7923282a09a6dab8338c695a350786e3f7792d1fcf1b4a

  • SSDEEP

    6144:byXxZTquqxpXAdbbiFyKq3nUOcWfMMMMMMMbt:byXzN8pXAdbbyyZtZfMMMMMMMb

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-12-01_8f03907ba4f5beb91afca249985588b5_karagany_mafia

    • Size

      14.5MB

    • MD5

      8f03907ba4f5beb91afca249985588b5

    • SHA1

      285442119288693a48d49fac770b5fd1463bf9b0

    • SHA256

      a36378ea861fc985ea84824587384cd4da4c8c3bfa348ef21675c6062558198e

    • SHA512

      6cd27e000c15464c3d0b34ba8f0f3277dd7e9dc0840e95a4c55e5853f243b2cb40e2f19a8efe248b4a7923282a09a6dab8338c695a350786e3f7792d1fcf1b4a

    • SSDEEP

      6144:byXxZTquqxpXAdbbiFyKq3nUOcWfMMMMMMMbt:byXzN8pXAdbbyyZtZfMMMMMMMb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks