tofsee | b4870409b801692faf71a13983f411bc6d39d0503177b105f888c6d0097a3ab8 | Triage

Sharing

General

Target

b4870409b801692faf71a13983f411bc6d39d0503177b105f888c6d0097a3ab8
Size

270KB
Sample

220124-lsm5msebdq
MD5

303b3d03908034295d2ede5b6ea07f57
SHA1

1fa657bc725e38ba78092c2cfb315b2c6266b5af
SHA256

b4870409b801692faf71a13983f411bc6d39d0503177b105f888c6d0097a3ab8
SHA512

8f629b62b5df4ec4b342aef4a7e4b18856c757fd00b9f4937fa5d9ae0ecea56c654fdc7af177b46429a2a1a3801e53ff6e9b16a7bddaaaea1f5af3be83d9a3e0

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

patmushta.info

ovicrush.cn

Targets

- Target
  
  b4870409b801692faf71a13983f411bc6d39d0503177b105f888c6d0097a3ab8
- Size
  
  270KB
- MD5
  
  303b3d03908034295d2ede5b6ea07f57
- SHA1
  
  1fa657bc725e38ba78092c2cfb315b2c6266b5af
- SHA256
  
  b4870409b801692faf71a13983f411bc6d39d0503177b105f888c6d0097a3ab8
- SHA512
  
  8f629b62b5df4ec4b342aef4a7e4b18856c757fd00b9f4937fa5d9ae0ecea56c654fdc7af177b46429a2a1a3801e53ff6e9b16a7bddaaaea1f5af3be83d9a3e0
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan