tofsee | 65b06139254e9d7ad3e56e67b498473d31abb7e8b9a32a1a537fd9ec607232ff | Triage

Sharing

General

Target

354b570754a39b62f08fa243e04e0ac4
Size

11.8MB
Sample

201214-15g8sn61m6
MD5

354b570754a39b62f08fa243e04e0ac4
SHA1

9662324cd2f8a2f1600ba42b64cf14b30d05b57f
SHA256

65b06139254e9d7ad3e56e67b498473d31abb7e8b9a32a1a537fd9ec607232ff
SHA512

b5e315aaec0e8b6d4968110cbb73d344a371410e6d7b879145156895823eeed9fda7430c39a2b9f87451fb70fc44d41bfd6e651d11d53cbe70637134f0dd24b6

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  354b570754a39b62f08fa243e04e0ac4
- Size
  
  11.8MB
- MD5
  
  354b570754a39b62f08fa243e04e0ac4
- SHA1
  
  9662324cd2f8a2f1600ba42b64cf14b30d05b57f
- SHA256
  
  65b06139254e9d7ad3e56e67b498473d31abb7e8b9a32a1a537fd9ec607232ff
- SHA512
  
  b5e315aaec0e8b6d4968110cbb73d344a371410e6d7b879145156895823eeed9fda7430c39a2b9f87451fb70fc44d41bfd6e651d11d53cbe70637134f0dd24b6
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan