tofsee | 83f46bbf5414ef3e3eba95cbabf5b48802e01a426e14d4ebe51e6a6b6c67a574 | Triage

Sharing

General

Target

aff9ab5bd7309235fdfc643d535f89da
Size

15.0MB
Sample

201214-a8r4w5jwwe
MD5

aff9ab5bd7309235fdfc643d535f89da
SHA1

7cbf21edc211abbf977f2ed01e317166e00c84ab
SHA256

83f46bbf5414ef3e3eba95cbabf5b48802e01a426e14d4ebe51e6a6b6c67a574
SHA512

0839288097ed86580fae041b59ac51aceac24e22ba5aef9bd50865de2dc2d897608dde150c4a6cc240bb9cab16a49b1c36d84bde9d07b761b3251878d7ca4cd2

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  aff9ab5bd7309235fdfc643d535f89da
- Size
  
  15.0MB
- MD5
  
  aff9ab5bd7309235fdfc643d535f89da
- SHA1
  
  7cbf21edc211abbf977f2ed01e317166e00c84ab
- SHA256
  
  83f46bbf5414ef3e3eba95cbabf5b48802e01a426e14d4ebe51e6a6b6c67a574
- SHA512
  
  0839288097ed86580fae041b59ac51aceac24e22ba5aef9bd50865de2dc2d897608dde150c4a6cc240bb9cab16a49b1c36d84bde9d07b761b3251878d7ca4cd2
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

evasionpersistencetrojan