tofsee | 101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7 | Triage

Sharing

General

Target

101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7
Size

137KB
Sample

220604-qtwwdsdegm
MD5

d621a78cf6343c38fa7356b7a2846ddd
SHA1

8037750152302eeffddab9e0efe93967bbafd582
SHA256

101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7
SHA512

6c3144dc20bc6048456bb6330b93df1566d969971334259e393c15e38c1f282e24f982ea28400b53283a6b538d4a7fcbe6283cad0fe24b8f45cd26bdc4c70ef4

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7
- Size
  
  137KB
- MD5
  
  d621a78cf6343c38fa7356b7a2846ddd
- SHA1
  
  8037750152302eeffddab9e0efe93967bbafd582
- SHA256
  
  101512df3ce4c79c8f763e779e8d0cf1bfe31089b7107eb384280c3f6adc40b7
- SHA512
  
  6c3144dc20bc6048456bb6330b93df1566d969971334259e393c15e38c1f282e24f982ea28400b53283a6b538d4a7fcbe6283cad0fe24b8f45cd26bdc4c70ef4
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan