General
-
Target
2025-01-24_eb5c85e3ef72cd8a17d66ee635dec743_mafia
-
Size
13.6MB
-
Sample
250124-xx84fsvpbn
-
MD5
eb5c85e3ef72cd8a17d66ee635dec743
-
SHA1
4fc6d0b7936828d347ceaf1cbcfc174654f291ee
-
SHA256
ac022f3e67da3d10f336e52afd6ea6b084c0f9b61d0de228f7b2e23c1d6df473
-
SHA512
940a33d0e68c6420f1ebb36c194a8bcf0a625fe75629e01bbf30471b44b7d6f43a2349d91d31c06fca52a707559ecd1e01af311be876f5be9f12b2b2cba9bd75
-
SSDEEP
6144:tLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQV:+TYe+D2jFu+iZoUFhAz
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-24_eb5c85e3ef72cd8a17d66ee635dec743_mafia.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2025-01-24_eb5c85e3ef72cd8a17d66ee635dec743_mafia.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
2025-01-24_eb5c85e3ef72cd8a17d66ee635dec743_mafia
-
Size
13.6MB
-
MD5
eb5c85e3ef72cd8a17d66ee635dec743
-
SHA1
4fc6d0b7936828d347ceaf1cbcfc174654f291ee
-
SHA256
ac022f3e67da3d10f336e52afd6ea6b084c0f9b61d0de228f7b2e23c1d6df473
-
SHA512
940a33d0e68c6420f1ebb36c194a8bcf0a625fe75629e01bbf30471b44b7d6f43a2349d91d31c06fca52a707559ecd1e01af311be876f5be9f12b2b2cba9bd75
-
SSDEEP
6144:tLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQV:+TYe+D2jFu+iZoUFhAz
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2