tofsee | 189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232 | Triage

Sharing

General

Target

189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232
Size

11.7MB
Sample

210515-l99y2n77qx
MD5

0b9eaf5502101f33252e46846f4db5a5
SHA1

620b46abbe9d9e3884d28d85fe7b949c17538eda
SHA256

189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232
SHA512

23fda346f08da77d3158d0a9c464a382af17c9a5649ed4b89152dec01d2527ec0cb9f6d43d5b8decf7ebcf0d65e0906f69a2443e72605c4eb7f549a004ce378c

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Targets

- Target
  
  189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232
- Size
  
  11.7MB
- MD5
  
  0b9eaf5502101f33252e46846f4db5a5
- SHA1
  
  620b46abbe9d9e3884d28d85fe7b949c17538eda
- SHA256
  
  189c5efc65e3b28e3536ffb8616766b36115b058ceb6548c87bb3e4d3a5e0232
- SHA512
  
  23fda346f08da77d3158d0a9c464a382af17c9a5649ed4b89152dec01d2527ec0cb9f6d43d5b8decf7ebcf0d65e0906f69a2443e72605c4eb7f549a004ce378c
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan