tofsee | 19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115 | Triage

Sharing

General

Target

19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115
Size

14.0MB
Sample

210513-s71nre96hs
MD5

6ffdeca48480ac86795b6f9c26f2d0ca
SHA1

a8eb2514ef334e9fb8622a9eea1b8c2b8b7c024e
SHA256

19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115
SHA512

1528b11f286b8ffa40470c8681caa215bd2425b4cadeab8537392fa1e7c3853b2f3150a3668401c0523ebea44bd6a629f691c70b53f55883f7c36cf8694df2f6

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115
- Size
  
  14.0MB
- MD5
  
  6ffdeca48480ac86795b6f9c26f2d0ca
- SHA1
  
  a8eb2514ef334e9fb8622a9eea1b8c2b8b7c024e
- SHA256
  
  19b21277c1084248de6760e9de78f99db5519cf8561afe606e30ca4230134115
- SHA512
  
  1528b11f286b8ffa40470c8681caa215bd2425b4cadeab8537392fa1e7c3853b2f3150a3668401c0523ebea44bd6a629f691c70b53f55883f7c36cf8694df2f6
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan