General

  • Target

    2025-01-24_eb5c85e3ef72cd8a17d66ee635dec743_mafia

  • Size

    13.6MB

  • Sample

    250124-xx84fsvpbn

  • MD5

    eb5c85e3ef72cd8a17d66ee635dec743

  • SHA1

    4fc6d0b7936828d347ceaf1cbcfc174654f291ee

  • SHA256

    ac022f3e67da3d10f336e52afd6ea6b084c0f9b61d0de228f7b2e23c1d6df473

  • SHA512

    940a33d0e68c6420f1ebb36c194a8bcf0a625fe75629e01bbf30471b44b7d6f43a2349d91d31c06fca52a707559ecd1e01af311be876f5be9f12b2b2cba9bd75

  • SSDEEP

    6144:tLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQV:+TYe+D2jFu+iZoUFhAz

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-24_eb5c85e3ef72cd8a17d66ee635dec743_mafia

    • Size

      13.6MB

    • MD5

      eb5c85e3ef72cd8a17d66ee635dec743

    • SHA1

      4fc6d0b7936828d347ceaf1cbcfc174654f291ee

    • SHA256

      ac022f3e67da3d10f336e52afd6ea6b084c0f9b61d0de228f7b2e23c1d6df473

    • SHA512

      940a33d0e68c6420f1ebb36c194a8bcf0a625fe75629e01bbf30471b44b7d6f43a2349d91d31c06fca52a707559ecd1e01af311be876f5be9f12b2b2cba9bd75

    • SSDEEP

      6144:tLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQV:+TYe+D2jFu+iZoUFhAz

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.