General

  • Target

    2024-12-02_19bea42ff8e243988f50a16d8f6bdef5_karagany_mafia

  • Size

    14.8MB

  • Sample

    241202-wcdw5szrfk

  • MD5

    19bea42ff8e243988f50a16d8f6bdef5

  • SHA1

    5d7ce7af5387302f32d0c56741f71b7fa4a80b15

  • SHA256

    1df3966bb68ddb214aa79bf0e002afae813fe089498c110b09aa63921df34d6b

  • SHA512

    a92c60835aa4f07c44cb79ad3aaa4ec3476bf0df1611b53704bcbbe55baffbe11bce8981b0bf5f91a4b6d54fa6407ddfa25822cbd33de0ece2369883194427b2

  • SSDEEP

    6144:ZXxZs2EcxJ8GD96ySzTVaFRFX53ncNnUUMMMMMMMMb5:ZXzuKJ8GD96ySzTcANnQMMMMMMMb

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-12-02_19bea42ff8e243988f50a16d8f6bdef5_karagany_mafia

    • Size

      14.8MB

    • MD5

      19bea42ff8e243988f50a16d8f6bdef5

    • SHA1

      5d7ce7af5387302f32d0c56741f71b7fa4a80b15

    • SHA256

      1df3966bb68ddb214aa79bf0e002afae813fe089498c110b09aa63921df34d6b

    • SHA512

      a92c60835aa4f07c44cb79ad3aaa4ec3476bf0df1611b53704bcbbe55baffbe11bce8981b0bf5f91a4b6d54fa6407ddfa25822cbd33de0ece2369883194427b2

    • SSDEEP

      6144:ZXxZs2EcxJ8GD96ySzTVaFRFX53ncNnUUMMMMMMMMb5:ZXzuKJ8GD96ySzTcANnQMMMMMMMb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks