tofsee | 31e02e3b5a2080405d23e14f35aab57c675ed9e99fc813b79f9a6bc02d29dbed | Triage

Sharing

General

Target

b5c0d38dbf30c0db0bab6b5e9e6830ed
Size

11.6MB
Sample

201214-wf7phte99a
MD5

b5c0d38dbf30c0db0bab6b5e9e6830ed
SHA1

73d4487644c81ac0cdc8ba59cfbe4b610d02ac4d
SHA256

31e02e3b5a2080405d23e14f35aab57c675ed9e99fc813b79f9a6bc02d29dbed
SHA512

d97ec4dec0f04aef6aa1468ecd97394d29d359e125374ac53d0733b6cfe340d5f37b67c319b61a2d8132125c587b9775ea45fb2a3acdcf2983b0dfb43a94a07e

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  b5c0d38dbf30c0db0bab6b5e9e6830ed
- Size
  
  11.6MB
- MD5
  
  b5c0d38dbf30c0db0bab6b5e9e6830ed
- SHA1
  
  73d4487644c81ac0cdc8ba59cfbe4b610d02ac4d
- SHA256
  
  31e02e3b5a2080405d23e14f35aab57c675ed9e99fc813b79f9a6bc02d29dbed
- SHA512
  
  d97ec4dec0f04aef6aa1468ecd97394d29d359e125374ac53d0733b6cfe340d5f37b67c319b61a2d8132125c587b9775ea45fb2a3acdcf2983b0dfb43a94a07e
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan