General

  • Target

    2025-02-05_0d6033f04c52d76dfb4f91626b147366_mafia

  • Size

    12.1MB

  • Sample

    250205-1l4w5ssray

  • MD5

    0d6033f04c52d76dfb4f91626b147366

  • SHA1

    2d2b4e4ed500d4b403cfbe1e4f2f8a1549953604

  • SHA256

    6a1da763c46e6b2629d9860a9faff3f8022bb7f3f832351249870c848ea6b5a3

  • SHA512

    d2d24eb3dae4890e0a4ec40cade8d0ed86117ec74127a550069848b59ab3a5d9c0378b815df4a63746b261b05f108e50bc827b3de44f79a978dd5c18c406b474

  • SSDEEP

    6144:9LQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQA:uTYe+D2jFu+iZoUFhAzx

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2025-02-05_0d6033f04c52d76dfb4f91626b147366_mafia

    • Size

      12.1MB

    • MD5

      0d6033f04c52d76dfb4f91626b147366

    • SHA1

      2d2b4e4ed500d4b403cfbe1e4f2f8a1549953604

    • SHA256

      6a1da763c46e6b2629d9860a9faff3f8022bb7f3f832351249870c848ea6b5a3

    • SHA512

      d2d24eb3dae4890e0a4ec40cade8d0ed86117ec74127a550069848b59ab3a5d9c0378b815df4a63746b261b05f108e50bc827b3de44f79a978dd5c18c406b474

    • SSDEEP

      6144:9LQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQA:uTYe+D2jFu+iZoUFhAzx

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks