tofsee | 6e325e8c95c86d290e1672117dd49a13f26d00efea9eba81979000d9478c66ef | Triage

Sharing

General

Target

46120e1d214529118aa4215d8c856877
Size

11.7MB
Sample

201117-lhz5ey6a86
MD5

cf99d6d2f10b9fef769e29dc9cabdc6d
SHA1

69abee0ee47ce9ced0db790f39a9afb9b86ac8c8
SHA256

6e325e8c95c86d290e1672117dd49a13f26d00efea9eba81979000d9478c66ef
SHA512

bce3509d547691b7a7dc66d1b38f8cbb480edeae3ca46079a297cd746e3b18300eaa92b15207a16430600bfe962422c8bb33c62a3d4cefdcc60738f8d1d87137

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  46120e1d214529118aa4215d8c856877
- Size
  
  11.7MB
- MD5
  
  cf99d6d2f10b9fef769e29dc9cabdc6d
- SHA1
  
  69abee0ee47ce9ced0db790f39a9afb9b86ac8c8
- SHA256
  
  6e325e8c95c86d290e1672117dd49a13f26d00efea9eba81979000d9478c66ef
- SHA512
  
  bce3509d547691b7a7dc66d1b38f8cbb480edeae3ca46079a297cd746e3b18300eaa92b15207a16430600bfe962422c8bb33c62a3d4cefdcc60738f8d1d87137
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Modifies service
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan