General

  • Target

    2025-01-26_8658d0fee2bb9fe4dda474a1930da717_mafia

  • Size

    11.7MB

  • Sample

    250126-w6tjpazphp

  • MD5

    8658d0fee2bb9fe4dda474a1930da717

  • SHA1

    fa9aff4e773da46d3ce8a52f8cc0cd7db9e48d5d

  • SHA256

    b60031e36942a58951a89f163a8f7508a7cde31d59c2692e3262a7239378a832

  • SHA512

    649e8c0519c8c0684781b9e104e816006580c913cf54010a673a4f5a14949a6ea6101f835dbf08f1e8ccd2afb6571f8bfb35682601ba586a46cc5f66a052b34f

  • SSDEEP

    6144:zLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQ1:ITYe+D2jFu+iZoUFhAz

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-26_8658d0fee2bb9fe4dda474a1930da717_mafia

    • Size

      11.7MB

    • MD5

      8658d0fee2bb9fe4dda474a1930da717

    • SHA1

      fa9aff4e773da46d3ce8a52f8cc0cd7db9e48d5d

    • SHA256

      b60031e36942a58951a89f163a8f7508a7cde31d59c2692e3262a7239378a832

    • SHA512

      649e8c0519c8c0684781b9e104e816006580c913cf54010a673a4f5a14949a6ea6101f835dbf08f1e8ccd2afb6571f8bfb35682601ba586a46cc5f66a052b34f

    • SSDEEP

      6144:zLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQ1:ITYe+D2jFu+iZoUFhAz

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks