tofsee | 388e770957cb4e6e396d8ef4a0cf158a69e3cdeb98157b013e79327013706afe | Triage

Sharing

General

Target

b23ec80dcfd2ee8ad973ac39a4b6488b
Size

13.5MB
Sample

201214-4f42s8n91s
MD5

b23ec80dcfd2ee8ad973ac39a4b6488b
SHA1

58a7c7a55442f3f22b61bb94eff369288f8b6392
SHA256

388e770957cb4e6e396d8ef4a0cf158a69e3cdeb98157b013e79327013706afe
SHA512

4f92d9235235702099771a60f5c8ea1fe83dd8dc2dbd05649d353f43de4c54a89249fb513659aad3022688e98cc8dbbe5a3ba144e12eedc3c2c000ca5d8e355d

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  b23ec80dcfd2ee8ad973ac39a4b6488b
- Size
  
  13.5MB
- MD5
  
  b23ec80dcfd2ee8ad973ac39a4b6488b
- SHA1
  
  58a7c7a55442f3f22b61bb94eff369288f8b6392
- SHA256
  
  388e770957cb4e6e396d8ef4a0cf158a69e3cdeb98157b013e79327013706afe
- SHA512
  
  4f92d9235235702099771a60f5c8ea1fe83dd8dc2dbd05649d353f43de4c54a89249fb513659aad3022688e98cc8dbbe5a3ba144e12eedc3c2c000ca5d8e355d
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan