tofsee | 19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf | Triage

Sharing

General

Target

19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf
Size

142KB
Sample

220608-f1zwhsegh6
MD5

70780b64e4a6d98605af8971d4c087ea
SHA1

862b12cfea6bf1c5e636f58e8bcdaf89482c94af
SHA256

19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf
SHA512

cbdfdf35c0f31aaf4870709aa07c3c93edf8c5b504d39f44838e9ffc4d7eeee3483e9c3a6c98a92d1fcdbb3e0e585127f0635c535575faa2509f9dbd54ac3950

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf
- Size
  
  142KB
- MD5
  
  70780b64e4a6d98605af8971d4c087ea
- SHA1
  
  862b12cfea6bf1c5e636f58e8bcdaf89482c94af
- SHA256
  
  19cd7ad7229f202403df4755e341f3b8856150a773217ea70fe7c8be52ad8fcf
- SHA512
  
  cbdfdf35c0f31aaf4870709aa07c3c93edf8c5b504d39f44838e9ffc4d7eeee3483e9c3a6c98a92d1fcdbb3e0e585127f0635c535575faa2509f9dbd54ac3950
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan