General

  • Target

    2024-12-02_6a78c96bfc6f9c9957e4fc753858e158_karagany_mafia

  • Size

    13.3MB

  • Sample

    241202-z72s8syrej

  • MD5

    6a78c96bfc6f9c9957e4fc753858e158

  • SHA1

    9f1c1ed1e963110addd477cf2c70e633fb889c3e

  • SHA256

    3741ce9fe249af187edf138e87543844f539fcb9b539d81e97832b44fb7dfe29

  • SHA512

    e195b4e519b87817cc4444dc171414e7d93133c05d1a610235ee4047a18f22620b6b7b88bb4589811054b6c1fab8cf63ffb923dc9500cc1cdb86c44106f5434d

  • SSDEEP

    6144:lXxZs2EcxJ8GD96ySzTVaFRFX53ncNnUUMMMMMMMMb5:lXzuKJ8GD96ySzTcANnQMMMMMMMb

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-12-02_6a78c96bfc6f9c9957e4fc753858e158_karagany_mafia

    • Size

      13.3MB

    • MD5

      6a78c96bfc6f9c9957e4fc753858e158

    • SHA1

      9f1c1ed1e963110addd477cf2c70e633fb889c3e

    • SHA256

      3741ce9fe249af187edf138e87543844f539fcb9b539d81e97832b44fb7dfe29

    • SHA512

      e195b4e519b87817cc4444dc171414e7d93133c05d1a610235ee4047a18f22620b6b7b88bb4589811054b6c1fab8cf63ffb923dc9500cc1cdb86c44106f5434d

    • SSDEEP

      6144:lXxZs2EcxJ8GD96ySzTVaFRFX53ncNnUUMMMMMMMMb5:lXzuKJ8GD96ySzTcANnQMMMMMMMb

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks