General

  • Target

    2025-01-27_d0b86455db24c48c02e9c9c129a7f98e_mafia

  • Size

    11.7MB

  • Sample

    250127-m9bzdawqen

  • MD5

    d0b86455db24c48c02e9c9c129a7f98e

  • SHA1

    23b5fdd772bfcc4e8f05a37b9f570de988651afb

  • SHA256

    4b50c7d858cfb0f17475894bb2e4594f1661d3d820e701c717ce35ecef8816a3

  • SHA512

    66e975202ea3ef667e99f81a80bcd7f9a5e16c8f2eb31b704e08625b5aa467fd671d56d74019f1b8fa21b164a3dc358fe34102f306a98ca48f0d1991c5f313c3

  • SSDEEP

    49152:0qE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPO:0qtYc3h

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-27_d0b86455db24c48c02e9c9c129a7f98e_mafia

    • Size

      11.7MB

    • MD5

      d0b86455db24c48c02e9c9c129a7f98e

    • SHA1

      23b5fdd772bfcc4e8f05a37b9f570de988651afb

    • SHA256

      4b50c7d858cfb0f17475894bb2e4594f1661d3d820e701c717ce35ecef8816a3

    • SHA512

      66e975202ea3ef667e99f81a80bcd7f9a5e16c8f2eb31b704e08625b5aa467fd671d56d74019f1b8fa21b164a3dc358fe34102f306a98ca48f0d1991c5f313c3

    • SSDEEP

      49152:0qE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPO:0qtYc3h

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.