tofsee | 0f1625c8dfa3634a83f6a378fba14c07da2289d78881bc10b03ff06b87f3597d | Triage

Sharing

General

Target

a2f750ea33e71a374a0e40cb66bad6cb
Size

10.7MB
Sample

201214-tqcywy2456
MD5

a2f750ea33e71a374a0e40cb66bad6cb
SHA1

c13139c6d890e4c4fa7772751c4459a74f9ec382
SHA256

0f1625c8dfa3634a83f6a378fba14c07da2289d78881bc10b03ff06b87f3597d
SHA512

739f55776c23f55646261154873fc3c29ed53506e54703d2989ac796443b65947b197a71b7a21f273d2d81c299759d8247f3d2be9a58004e02aa02a8ddc66f80

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  a2f750ea33e71a374a0e40cb66bad6cb
- Size
  
  10.7MB
- MD5
  
  a2f750ea33e71a374a0e40cb66bad6cb
- SHA1
  
  c13139c6d890e4c4fa7772751c4459a74f9ec382
- SHA256
  
  0f1625c8dfa3634a83f6a378fba14c07da2289d78881bc10b03ff06b87f3597d
- SHA512
  
  739f55776c23f55646261154873fc3c29ed53506e54703d2989ac796443b65947b197a71b7a21f273d2d81c299759d8247f3d2be9a58004e02aa02a8ddc66f80
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan