General
-
Target
2025-02-01_294baf6362d4f49cfe0cea1ed29d6345_mafia
-
Size
12.8MB
-
Sample
250201-b9keza1kfz
-
MD5
294baf6362d4f49cfe0cea1ed29d6345
-
SHA1
eec8cc0feeb35395e2defd1d53005501d5c1c53b
-
SHA256
b4e5b6c2e6a59c349804cf87e5663bbcd50ac96aceaf926526d67398a1610fdb
-
SHA512
9c111d5b6835c36de1ac4411359df8f042b9c90b0b5b30af076225487b7d373f334fa83f5c05f91023f1b47bb09dc5f5bc2a6dbe372a1c6c1310eff2a3a913bd
-
SSDEEP
24576:mpomTTN9tttttttttttttttttttttttttttttttttttttttttttttttttttttttD:qoo9
Malware Config
Extracted
tofsee
43.231.4.7
lazystax.ru
Targets
-
-
Target
2025-02-01_294baf6362d4f49cfe0cea1ed29d6345_mafia
-
Size
12.8MB
-
MD5
294baf6362d4f49cfe0cea1ed29d6345
-
SHA1
eec8cc0feeb35395e2defd1d53005501d5c1c53b
-
SHA256
b4e5b6c2e6a59c349804cf87e5663bbcd50ac96aceaf926526d67398a1610fdb
-
SHA512
9c111d5b6835c36de1ac4411359df8f042b9c90b0b5b30af076225487b7d373f334fa83f5c05f91023f1b47bb09dc5f5bc2a6dbe372a1c6c1310eff2a3a913bd
-
SSDEEP
24576:mpomTTN9tttttttttttttttttttttttttttttttttttttttttttttttttttttttD:qoo9
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2