General

  • Target

    2025-01-26_67130b094de0fe4c0539061c2ba38696_mafia

  • Size

    12.9MB

  • Sample

    250126-w5q26szpfj

  • MD5

    67130b094de0fe4c0539061c2ba38696

  • SHA1

    d8bf6739ccda3916988e174d9756dc1cffa36c3f

  • SHA256

    5166bc7f68594a18219bbe7ae713b68b3b4820848448d8db4525460d73ad84d8

  • SHA512

    ce05d1ccfbd527fbf66c77d4b68cc749eeef6106502355fdf237f746ed55cdcae7da7ce5244a57c3e7e59a8d094ba0cf8358bb8bc81375dc5a0d27880fb2019f

  • SSDEEP

    49152:XqE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:XqtYc3

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-26_67130b094de0fe4c0539061c2ba38696_mafia

    • Size

      12.9MB

    • MD5

      67130b094de0fe4c0539061c2ba38696

    • SHA1

      d8bf6739ccda3916988e174d9756dc1cffa36c3f

    • SHA256

      5166bc7f68594a18219bbe7ae713b68b3b4820848448d8db4525460d73ad84d8

    • SHA512

      ce05d1ccfbd527fbf66c77d4b68cc749eeef6106502355fdf237f746ed55cdcae7da7ce5244a57c3e7e59a8d094ba0cf8358bb8bc81375dc5a0d27880fb2019f

    • SSDEEP

      49152:XqE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:XqtYc3

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.