General

  • Target

    2025-01-27_d0b86455db24c48c02e9c9c129a7f98e_mafia

  • Size

    11.7MB

  • Sample

    250127-m9bzdawqen

  • MD5

    d0b86455db24c48c02e9c9c129a7f98e

  • SHA1

    23b5fdd772bfcc4e8f05a37b9f570de988651afb

  • SHA256

    4b50c7d858cfb0f17475894bb2e4594f1661d3d820e701c717ce35ecef8816a3

  • SHA512

    66e975202ea3ef667e99f81a80bcd7f9a5e16c8f2eb31b704e08625b5aa467fd671d56d74019f1b8fa21b164a3dc358fe34102f306a98ca48f0d1991c5f313c3

  • SSDEEP

    49152:0qE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPO:0qtYc3h

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-01-27_d0b86455db24c48c02e9c9c129a7f98e_mafia

    • Size

      11.7MB

    • MD5

      d0b86455db24c48c02e9c9c129a7f98e

    • SHA1

      23b5fdd772bfcc4e8f05a37b9f570de988651afb

    • SHA256

      4b50c7d858cfb0f17475894bb2e4594f1661d3d820e701c717ce35ecef8816a3

    • SHA512

      66e975202ea3ef667e99f81a80bcd7f9a5e16c8f2eb31b704e08625b5aa467fd671d56d74019f1b8fa21b164a3dc358fe34102f306a98ca48f0d1991c5f313c3

    • SSDEEP

      49152:0qE0YKr3fYPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPO:0qtYc3h

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks