tofsee | 3d8efe324e234ca7b31ec46dae3e9fe5c98da16bfcf5cd0b43585ef2b00de606 | Triage

Sharing

General

Target

4ac2eac8e4dac3288be47509a33c4a67
Size

10.4MB
Sample

201214-wwl7mhbn82
MD5

4ac2eac8e4dac3288be47509a33c4a67
SHA1

b1fa98d1320a6c2d5ccc799dad147b4272f9825a
SHA256

3d8efe324e234ca7b31ec46dae3e9fe5c98da16bfcf5cd0b43585ef2b00de606
SHA512

5540a97eea6b3ea877623d1358761cd8b1a2467a9c559bd3aed4fd503db4281699acbd7e31c13da31c11ec48b335873513686b3bb41d38572218bc87a65c6790

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  4ac2eac8e4dac3288be47509a33c4a67
- Size
  
  10.4MB
- MD5
  
  4ac2eac8e4dac3288be47509a33c4a67
- SHA1
  
  b1fa98d1320a6c2d5ccc799dad147b4272f9825a
- SHA256
  
  3d8efe324e234ca7b31ec46dae3e9fe5c98da16bfcf5cd0b43585ef2b00de606
- SHA512
  
  5540a97eea6b3ea877623d1358761cd8b1a2467a9c559bd3aed4fd503db4281699acbd7e31c13da31c11ec48b335873513686b3bb41d38572218bc87a65c6790
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan