General

  • Target

    2025-01-21_f1750aa78c4789f32d2625a84d2e03ac_mafia

  • Size

    11.5MB

  • Sample

    250121-3qjswaxjh1

  • MD5

    f1750aa78c4789f32d2625a84d2e03ac

  • SHA1

    8d32679daae808536efc0481da19ccde3fc7e99e

  • SHA256

    ac89c8baa443fe6395757f6c0f21fbfdb8b9e2d7855ec4195be8630e93c2a094

  • SHA512

    1347fd032c87c34ec2329a4436d13802845e24c93ea19143eb634ad3c3f38130ba352164600e2e89fa39d6fa38c89c3ebb887315e812da1102775c5648992c5a

  • SSDEEP

    49152:NqE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:NqtYc3

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-21_f1750aa78c4789f32d2625a84d2e03ac_mafia

    • Size

      11.5MB

    • MD5

      f1750aa78c4789f32d2625a84d2e03ac

    • SHA1

      8d32679daae808536efc0481da19ccde3fc7e99e

    • SHA256

      ac89c8baa443fe6395757f6c0f21fbfdb8b9e2d7855ec4195be8630e93c2a094

    • SHA512

      1347fd032c87c34ec2329a4436d13802845e24c93ea19143eb634ad3c3f38130ba352164600e2e89fa39d6fa38c89c3ebb887315e812da1102775c5648992c5a

    • SSDEEP

      49152:NqE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:NqtYc3

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.