tofsee | 60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532 | Triage

Sharing

General

Target

60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532
Size

98KB
Sample

220605-cws1mabgdk
MD5

9ad29d46cf10bae1cb938e5bcdf87ac4
SHA1

7db1ddffd9bf441769c4125b484b3a5703053bc8
SHA256

60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532
SHA512

f8e202ccf7d159f83040e1dba530c853dcfaa431a1999e520e172faf7a6e248b4aa3d282fb335962578668850f3325785cc6835c98e7b116cfbba78bfc7ebc8d

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532
- Size
  
  98KB
- MD5
  
  9ad29d46cf10bae1cb938e5bcdf87ac4
- SHA1
  
  7db1ddffd9bf441769c4125b484b3a5703053bc8
- SHA256
  
  60e07537db60ab75980d74059ff3967dfd3394b5b7a2a71cf1e22fbdd8e90532
- SHA512
  
  f8e202ccf7d159f83040e1dba530c853dcfaa431a1999e520e172faf7a6e248b4aa3d282fb335962578668850f3325785cc6835c98e7b116cfbba78bfc7ebc8d
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

tofseeevasionpersistencetrojan