tofsee | cf822f50e274b82120b3389049e8931948bc535a4b95c905efa9416225668c2e | Triage

Sharing

General

Target

cf822f50e274b82120b3389049e8931948bc535a4b95c905efa9416225668c2e
Size

309KB
Sample

220605-ldws8sdgdk
MD5

7d40376fee22fcd7c818a9fec569ba68
SHA1

97e9ab6393116df99769e48595501b54fb01f65f
SHA256

cf822f50e274b82120b3389049e8931948bc535a4b95c905efa9416225668c2e
SHA512

2eaa34fbbfa4d03f6e7c1bf31f79880cea0ef00af17f13007aaf5d53cd15ed4632a4807408384a6392acb18e995eab6e77bb60413faee8814da5f9c6c0503e22

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  cf822f50e274b82120b3389049e8931948bc535a4b95c905efa9416225668c2e
- Size
  
  309KB
- MD5
  
  7d40376fee22fcd7c818a9fec569ba68
- SHA1
  
  97e9ab6393116df99769e48595501b54fb01f65f
- SHA256
  
  cf822f50e274b82120b3389049e8931948bc535a4b95c905efa9416225668c2e
- SHA512
  
  2eaa34fbbfa4d03f6e7c1bf31f79880cea0ef00af17f13007aaf5d53cd15ed4632a4807408384a6392acb18e995eab6e77bb60413faee8814da5f9c6c0503e22
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan