tofsee | 6d8377fe5f324cd744ce2e2a3502a6d3dd53ac18c1033aad6282c90625e68687 | Triage

Sharing

General

Target

6d8377fe5f324cd744ce2e2a3502a6d3dd53ac18c1033aad6282c90625e68687
Size

14.7MB
Sample

201113-f5rvrsp492
MD5

34d46644b3f66a809ab14f8020b5c279
SHA1

99d1658b6f6a4c6b75de5fb9ed82da6df7d5f249
SHA256

6d8377fe5f324cd744ce2e2a3502a6d3dd53ac18c1033aad6282c90625e68687
SHA512

1d858610a192be320848a9a1b9016430debcca6f0c21efcbe539477762030809a9f8fa0bfabc26c2c07d941f5a600427ef169bbd8766943b1d14057d8c6aad4c

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  6d8377fe5f324cd744ce2e2a3502a6d3dd53ac18c1033aad6282c90625e68687
- Size
  
  14.7MB
- MD5
  
  34d46644b3f66a809ab14f8020b5c279
- SHA1
  
  99d1658b6f6a4c6b75de5fb9ed82da6df7d5f249
- SHA256
  
  6d8377fe5f324cd744ce2e2a3502a6d3dd53ac18c1033aad6282c90625e68687
- SHA512
  
  1d858610a192be320848a9a1b9016430debcca6f0c21efcbe539477762030809a9f8fa0bfabc26c2c07d941f5a600427ef169bbd8766943b1d14057d8c6aad4c
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan