tofsee | 9b70b8bd04c8ab2d25ebf024b23cbf44f541c6a835d0b0b4cd35e71c284baa14 | Triage

Sharing

General

Target

0e7bc915182d2c168803acfaffb7fe9c
Size

11.2MB
Sample

201214-xjcdsygw2e
MD5

0e7bc915182d2c168803acfaffb7fe9c
SHA1

8a761cc25f05a8b61d8f509b5c34871466420e48
SHA256

9b70b8bd04c8ab2d25ebf024b23cbf44f541c6a835d0b0b4cd35e71c284baa14
SHA512

3b57cb0a86183bf91096844a3bbea5d4a1d1c8875c75776cb6f0b2ebfbd8579cfa7570d28c91d5a4bb24314607ab1f6e2c3a461aa0aaedc5190df28745d115c1

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  0e7bc915182d2c168803acfaffb7fe9c
- Size
  
  11.2MB
- MD5
  
  0e7bc915182d2c168803acfaffb7fe9c
- SHA1
  
  8a761cc25f05a8b61d8f509b5c34871466420e48
- SHA256
  
  9b70b8bd04c8ab2d25ebf024b23cbf44f541c6a835d0b0b4cd35e71c284baa14
- SHA512
  
  3b57cb0a86183bf91096844a3bbea5d4a1d1c8875c75776cb6f0b2ebfbd8579cfa7570d28c91d5a4bb24314607ab1f6e2c3a461aa0aaedc5190df28745d115c1
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan