General

  • Target

    2025-01-26_67130b094de0fe4c0539061c2ba38696_mafia

  • Size

    12.9MB

  • Sample

    250126-w5q26szpfj

  • MD5

    67130b094de0fe4c0539061c2ba38696

  • SHA1

    d8bf6739ccda3916988e174d9756dc1cffa36c3f

  • SHA256

    5166bc7f68594a18219bbe7ae713b68b3b4820848448d8db4525460d73ad84d8

  • SHA512

    ce05d1ccfbd527fbf66c77d4b68cc749eeef6106502355fdf237f746ed55cdcae7da7ce5244a57c3e7e59a8d094ba0cf8358bb8bc81375dc5a0d27880fb2019f

  • SSDEEP

    49152:XqE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:XqtYc3

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-26_67130b094de0fe4c0539061c2ba38696_mafia

    • Size

      12.9MB

    • MD5

      67130b094de0fe4c0539061c2ba38696

    • SHA1

      d8bf6739ccda3916988e174d9756dc1cffa36c3f

    • SHA256

      5166bc7f68594a18219bbe7ae713b68b3b4820848448d8db4525460d73ad84d8

    • SHA512

      ce05d1ccfbd527fbf66c77d4b68cc749eeef6106502355fdf237f746ed55cdcae7da7ce5244a57c3e7e59a8d094ba0cf8358bb8bc81375dc5a0d27880fb2019f

    • SSDEEP

      49152:XqE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPn:XqtYc3

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks