tofsee | 60bcd69140ed6a79b7baa6a0005bfbef07a13f6918db29f4e6b1e6f5290d6db3 | Triage

Sharing

General

Target

733547b3964e5000616fa0fa71f31e8e
Size

12.6MB
Sample

201214-ln5te4ywb2
MD5

733547b3964e5000616fa0fa71f31e8e
SHA1

3e4691a61f811d8cc8c10b7a6e64c41d1f645c86
SHA256

60bcd69140ed6a79b7baa6a0005bfbef07a13f6918db29f4e6b1e6f5290d6db3
SHA512

0df59d78a4222f4e0e693668a33e4c28af17991ee119f58892524be5494f29830f81361b7ca4f1570909530d80089a8c08a6eb73e7455c0ccd32d2e700fcda7f

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  733547b3964e5000616fa0fa71f31e8e
- Size
  
  12.6MB
- MD5
  
  733547b3964e5000616fa0fa71f31e8e
- SHA1
  
  3e4691a61f811d8cc8c10b7a6e64c41d1f645c86
- SHA256
  
  60bcd69140ed6a79b7baa6a0005bfbef07a13f6918db29f4e6b1e6f5290d6db3
- SHA512
  
  0df59d78a4222f4e0e693668a33e4c28af17991ee119f58892524be5494f29830f81361b7ca4f1570909530d80089a8c08a6eb73e7455c0ccd32d2e700fcda7f
Score

10^/10

evasion persistence trojan tofsee
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan