General

  • Target

    2025-01-26_8658d0fee2bb9fe4dda474a1930da717_mafia

  • Size

    11.7MB

  • Sample

    250126-w6tjpazphp

  • MD5

    8658d0fee2bb9fe4dda474a1930da717

  • SHA1

    fa9aff4e773da46d3ce8a52f8cc0cd7db9e48d5d

  • SHA256

    b60031e36942a58951a89f163a8f7508a7cde31d59c2692e3262a7239378a832

  • SHA512

    649e8c0519c8c0684781b9e104e816006580c913cf54010a673a4f5a14949a6ea6101f835dbf08f1e8ccd2afb6571f8bfb35682601ba586a46cc5f66a052b34f

  • SSDEEP

    6144:zLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQ1:ITYe+D2jFu+iZoUFhAz

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-26_8658d0fee2bb9fe4dda474a1930da717_mafia

    • Size

      11.7MB

    • MD5

      8658d0fee2bb9fe4dda474a1930da717

    • SHA1

      fa9aff4e773da46d3ce8a52f8cc0cd7db9e48d5d

    • SHA256

      b60031e36942a58951a89f163a8f7508a7cde31d59c2692e3262a7239378a832

    • SHA512

      649e8c0519c8c0684781b9e104e816006580c913cf54010a673a4f5a14949a6ea6101f835dbf08f1e8ccd2afb6571f8bfb35682601ba586a46cc5f66a052b34f

    • SSDEEP

      6144:zLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQ1:ITYe+D2jFu+iZoUFhAz

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.