tofsee | 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532 | Triage

Sharing

General

Target

60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532
Size

98KB
Sample

210513-feqlm4fed6
MD5

9ad29d46cf10bae1cb938e5bcdf87ac4
SHA1

7db1ddffd9bf441769c4125b484b3a5703053bc8
SHA256

60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532
SHA512

f8e202ccf7d159f83040e1dba530c853dcfaa431a1999e520e172faf7a6e248b4aa3d282fb335962578668850f3325785cc6835c98e7b116cfbba78bfc7ebc8d

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532
- Size
  
  98KB
- MD5
  
  9ad29d46cf10bae1cb938e5bcdf87ac4
- SHA1
  
  7db1ddffd9bf441769c4125b484b3a5703053bc8
- SHA256
  
  60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532
- SHA512
  
  f8e202ccf7d159f83040e1dba530c853dcfaa431a1999e520e172faf7a6e248b4aa3d282fb335962578668850f3325785cc6835c98e7b116cfbba78bfc7ebc8d
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan