tofsee | a63de1840c26f10d5881a152ba21e8c2fe63691482cdb9aae774b1cc52a56332 | Triage

Sharing

General

Target

a722f9d9529debf6f3b0544b96c710cb
Size

12.9MB
Sample

201214-g2g4fvh92s
MD5

a722f9d9529debf6f3b0544b96c710cb
SHA1

cf53e04b1a3ba8afa903ee310a02c9a1b5b27e17
SHA256

a63de1840c26f10d5881a152ba21e8c2fe63691482cdb9aae774b1cc52a56332
SHA512

a40f87704d848a13bd3eb17201f3cca48188d74878fb905f748e68455b0225949c94c47e310abbed8c8ff4c5e56cea0901316d33a70555b2031b486b70e04919

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  a722f9d9529debf6f3b0544b96c710cb
- Size
  
  12.9MB
- MD5
  
  a722f9d9529debf6f3b0544b96c710cb
- SHA1
  
  cf53e04b1a3ba8afa903ee310a02c9a1b5b27e17
- SHA256
  
  a63de1840c26f10d5881a152ba21e8c2fe63691482cdb9aae774b1cc52a56332
- SHA512
  
  a40f87704d848a13bd3eb17201f3cca48188d74878fb905f748e68455b0225949c94c47e310abbed8c8ff4c5e56cea0901316d33a70555b2031b486b70e04919
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

evasionpersistencetrojan