tofsee | f432d10722a919cc0054d2036ca3869473d30ff1bea118a5951e1d0f9b312683 | Triage

Sharing

General

Target

f432d10722a919cc0054d2036ca3869473d30ff1bea118a5951e1d0f9b312683
Size

13.1MB
Sample

201113-8cxfp4nmkx
MD5

b0b80979e13efa87be2e305a86c0cd65
SHA1

9f0fa2d99d19c5815b442bafec74b9781f0584b2
SHA256

f432d10722a919cc0054d2036ca3869473d30ff1bea118a5951e1d0f9b312683
SHA512

4d8a2069de3d9bb4ed2d34f29b18dc124b497749f065d74bba93c986d605bab298fed6dbb3eb1142a04f8269b05c8a2c1cf864de4576bfb01d2b824ee1aeb4e6

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  f432d10722a919cc0054d2036ca3869473d30ff1bea118a5951e1d0f9b312683
- Size
  
  13.1MB
- MD5
  
  b0b80979e13efa87be2e305a86c0cd65
- SHA1
  
  9f0fa2d99d19c5815b442bafec74b9781f0584b2
- SHA256
  
  f432d10722a919cc0054d2036ca3869473d30ff1bea118a5951e1d0f9b312683
- SHA512
  
  4d8a2069de3d9bb4ed2d34f29b18dc124b497749f065d74bba93c986d605bab298fed6dbb3eb1142a04f8269b05c8a2c1cf864de4576bfb01d2b824ee1aeb4e6
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan