tofsee | 45e247392ea8d6187fd469161a3cb3ec2c465deacdf624f9cfafda37d070f26e | Triage

Sharing

General

Target

45e247392ea8d6187fd469161a3cb3ec2c465deacdf624f9cfafda37d070f26e
Size

270KB
Sample

220124-jn61vadeh9
MD5

67abef7218b3cc16b6cb7177643c1886
SHA1

2026aac881ee7a6d32b30e1b0cc326bb618db878
SHA256

45e247392ea8d6187fd469161a3cb3ec2c465deacdf624f9cfafda37d070f26e
SHA512

18ab11ac2a12995515f5480b837d20fc9c1ce9103fe2aa2bc0c325f8d67c576483fe9a69ae9027d8a0db3a30f3dfed2f2a38175b63032ecbcc6e7cec1f72a136

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

patmushta.info

ovicrush.cn

Targets

- Target
  
  45e247392ea8d6187fd469161a3cb3ec2c465deacdf624f9cfafda37d070f26e
- Size
  
  270KB
- MD5
  
  67abef7218b3cc16b6cb7177643c1886
- SHA1
  
  2026aac881ee7a6d32b30e1b0cc326bb618db878
- SHA256
  
  45e247392ea8d6187fd469161a3cb3ec2c465deacdf624f9cfafda37d070f26e
- SHA512
  
  18ab11ac2a12995515f5480b837d20fc9c1ce9103fe2aa2bc0c325f8d67c576483fe9a69ae9027d8a0db3a30f3dfed2f2a38175b63032ecbcc6e7cec1f72a136
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan