General

  • Target

    2025-01-26_15690cfc6f103df9ee6ec8ce20fdebc3_mafia

  • Size

    10.4MB

  • Sample

    250126-xfn2ys1jfk

  • MD5

    15690cfc6f103df9ee6ec8ce20fdebc3

  • SHA1

    6e665418d284d8b938d051bafa7e21b3ba86c80f

  • SHA256

    705eafbde7f8167554b1d394de00d91d5510106c42dfb00c9cc39685c002a3cf

  • SHA512

    20b5effaeddf8efdf41e3b0e7d9ccbbb166bb71757e66b2b9f7b99c6d6d0e3e72f2166fd191a9ed20e2dbc6b8bfd744fe2c727c42210ebd9bd0b773a9b81aec7

  • SSDEEP

    24576:IEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZd:Ffot

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-26_15690cfc6f103df9ee6ec8ce20fdebc3_mafia

    • Size

      10.4MB

    • MD5

      15690cfc6f103df9ee6ec8ce20fdebc3

    • SHA1

      6e665418d284d8b938d051bafa7e21b3ba86c80f

    • SHA256

      705eafbde7f8167554b1d394de00d91d5510106c42dfb00c9cc39685c002a3cf

    • SHA512

      20b5effaeddf8efdf41e3b0e7d9ccbbb166bb71757e66b2b9f7b99c6d6d0e3e72f2166fd191a9ed20e2dbc6b8bfd744fe2c727c42210ebd9bd0b773a9b81aec7

    • SSDEEP

      24576:IEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZd:Ffot

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks