tofsee | 3ad64df00abee547d055fb8b837633ad54f9bb5c91f1823e9f08d490b2fa791c | Triage

Sharing

General

Target

3ad64df00abee547d055fb8b837633ad54f9bb5c91f1823e9f08d490b2fa791c
Size

13.7MB
Sample

201115-qt74xcnmnj
MD5

dc79c526ee5281646de2e4c87c05cf3f
SHA1

e4bb9d69c62f981917d920d82d7522baaa5ebbb1
SHA256

3ad64df00abee547d055fb8b837633ad54f9bb5c91f1823e9f08d490b2fa791c
SHA512

246dc3cf352cdfa45398e461d3e3a48546aba9fc8381c464b0174ad1bb37fb5814e63ad89635a112fa718cbb3966f214c05774a5ca2cdd8bba26c9facf1bb5b2

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  3ad64df00abee547d055fb8b837633ad54f9bb5c91f1823e9f08d490b2fa791c
- Size
  
  13.7MB
- MD5
  
  dc79c526ee5281646de2e4c87c05cf3f
- SHA1
  
  e4bb9d69c62f981917d920d82d7522baaa5ebbb1
- SHA256
  
  3ad64df00abee547d055fb8b837633ad54f9bb5c91f1823e9f08d490b2fa791c
- SHA512
  
  246dc3cf352cdfa45398e461d3e3a48546aba9fc8381c464b0174ad1bb37fb5814e63ad89635a112fa718cbb3966f214c05774a5ca2cdd8bba26c9facf1bb5b2
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan