General

  • Target

    2025-01-22_523d1fcb30b0be55025f943dd2ea782c_mafia

  • Size

    14.2MB

  • Sample

    250122-xyzw6s1lbz

  • MD5

    523d1fcb30b0be55025f943dd2ea782c

  • SHA1

    46f37da9a49c94ca28ffd85d6f2755e4092d8828

  • SHA256

    25ea713eaea092a55c88031ea995a15a520d68f0f6b2d6b48a9028cebeb93ae0

  • SHA512

    eb2cbdec907789cc52c2458cb75e0f333b400c35be2dbadbdcf9e2339084dd4a48a3d9179de0403dd1aa7a37d10a04252338c5fe8b8bf02e4ffe35947ca3a44f

  • SSDEEP

    24576:sEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZj:pfot

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-22_523d1fcb30b0be55025f943dd2ea782c_mafia

    • Size

      14.2MB

    • MD5

      523d1fcb30b0be55025f943dd2ea782c

    • SHA1

      46f37da9a49c94ca28ffd85d6f2755e4092d8828

    • SHA256

      25ea713eaea092a55c88031ea995a15a520d68f0f6b2d6b48a9028cebeb93ae0

    • SHA512

      eb2cbdec907789cc52c2458cb75e0f333b400c35be2dbadbdcf9e2339084dd4a48a3d9179de0403dd1aa7a37d10a04252338c5fe8b8bf02e4ffe35947ca3a44f

    • SSDEEP

      24576:sEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZj:pfot

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks