tofsee | e19af916ee2e230b6beafbb6d5c84354947cb03a0aa08754f1d43edb2f88cf08 | Triage

Sharing

General

Target

e19af916ee2e230b6beafbb6d5c84354947cb03a0aa08754f1d43edb2f88cf08
Size

12.5MB
Sample

201114-5n76fbyr7e
MD5

5eec15d95c50d4247f92c621b156ef62
SHA1

a9c2a4b270e2ff09293c4c4454c746058124bd8b
SHA256

e19af916ee2e230b6beafbb6d5c84354947cb03a0aa08754f1d43edb2f88cf08
SHA512

d1472a79531a2ec9fc32492305729eb9812fbaa3b364d8612bb82eed384ea7ca0406a0d78e4fff2c7eb510d8eb5276c9552c3d9c8d9c584900ab2cddbe53da53

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  e19af916ee2e230b6beafbb6d5c84354947cb03a0aa08754f1d43edb2f88cf08
- Size
  
  12.5MB
- MD5
  
  5eec15d95c50d4247f92c621b156ef62
- SHA1
  
  a9c2a4b270e2ff09293c4c4454c746058124bd8b
- SHA256
  
  e19af916ee2e230b6beafbb6d5c84354947cb03a0aa08754f1d43edb2f88cf08
- SHA512
  
  d1472a79531a2ec9fc32492305729eb9812fbaa3b364d8612bb82eed384ea7ca0406a0d78e4fff2c7eb510d8eb5276c9552c3d9c8d9c584900ab2cddbe53da53
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan