General

  • Target

    2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia

  • Size

    13.2MB

  • Sample

    250113-ykvwqsxrem

  • MD5

    ccfdd3b3bd716781c58f384e57832015

  • SHA1

    16cbe22c63946bab54a091bbc868f5a1029bf817

  • SHA256

    587d46422210f07b6fa947c32729635b21defda03a4030132ca3a4ac6b6bdd80

  • SHA512

    51ce7ef3d59287d5aa22c98c56e96018d19308cdb12d4be05d1602cd7dabbb17269c9579dbad6907436dc8a5312f92f753f7463890a005dbdc0a2c48dca0e177

  • SSDEEP

    49152:jqE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:jqtYc3

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-13_ccfdd3b3bd716781c58f384e57832015_mafia

    • Size

      13.2MB

    • MD5

      ccfdd3b3bd716781c58f384e57832015

    • SHA1

      16cbe22c63946bab54a091bbc868f5a1029bf817

    • SHA256

      587d46422210f07b6fa947c32729635b21defda03a4030132ca3a4ac6b6bdd80

    • SHA512

      51ce7ef3d59287d5aa22c98c56e96018d19308cdb12d4be05d1602cd7dabbb17269c9579dbad6907436dc8a5312f92f753f7463890a005dbdc0a2c48dca0e177

    • SSDEEP

      49152:jqE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:jqtYc3

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks