tofsee | 0d3ce00823f9490ec470493500673f945da375ea1dd622e86783829addddf8ad | Triage

Sharing

General

Target

0d3ce00823f9490ec470493500673f945da375ea1dd622e86783829addddf8ad
Size

13.7MB
Sample

201113-9v536spkxx
MD5

fda9e1665332053cf72950e2d2d275ec
SHA1

5dd4642ac084b089ffae47d16933776338396eeb
SHA256

0d3ce00823f9490ec470493500673f945da375ea1dd622e86783829addddf8ad
SHA512

24a2fc5e75e32461986668b7ada7cf2b21a01e45114d92c792196e3789fa198407a864b7c8df9f3b36bd1497728932de0bc3ed9bfbc5e69407fc8edb34345e1b

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  0d3ce00823f9490ec470493500673f945da375ea1dd622e86783829addddf8ad
- Size
  
  13.7MB
- MD5
  
  fda9e1665332053cf72950e2d2d275ec
- SHA1
  
  5dd4642ac084b089ffae47d16933776338396eeb
- SHA256
  
  0d3ce00823f9490ec470493500673f945da375ea1dd622e86783829addddf8ad
- SHA512
  
  24a2fc5e75e32461986668b7ada7cf2b21a01e45114d92c792196e3789fa198407a864b7c8df9f3b36bd1497728932de0bc3ed9bfbc5e69407fc8edb34345e1b
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan