tofsee | bfeb3bb07df8f3d3cc3417de8c6ada86f56dbd0f884c11d7422f965871c00556 | Triage

Sharing

General

Target

bfeb3bb07df8f3d3cc3417de8c6ada86f56dbd0f884c11d7422f965871c00556
Size

13.1MB
Sample

201112-c2glbeebp6
MD5

3ce5ab4ee3482c1ec5fbf0b3ebe7b7df
SHA1

54f4b16b4b17d2a278c2cf6c2b33d85a33dc1f04
SHA256

bfeb3bb07df8f3d3cc3417de8c6ada86f56dbd0f884c11d7422f965871c00556
SHA512

0c3645d19aa9efdc11b5d90a08ceacbd27569e050f408838a03fadbb972f04770fddce6e4e26314f822856449018b71d60198bb4e3961459cd069b95d58ee4b2

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  bfeb3bb07df8f3d3cc3417de8c6ada86f56dbd0f884c11d7422f965871c00556
- Size
  
  13.1MB
- MD5
  
  3ce5ab4ee3482c1ec5fbf0b3ebe7b7df
- SHA1
  
  54f4b16b4b17d2a278c2cf6c2b33d85a33dc1f04
- SHA256
  
  bfeb3bb07df8f3d3cc3417de8c6ada86f56dbd0f884c11d7422f965871c00556
- SHA512
  
  0c3645d19aa9efdc11b5d90a08ceacbd27569e050f408838a03fadbb972f04770fddce6e4e26314f822856449018b71d60198bb4e3961459cd069b95d58ee4b2
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan