tofsee | 2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676 | Triage

Submit
Reports

Overview

overview

Static

static

8

2267e3a4b5...76.exe

windows7_x64

2267e3a4b5...76.exe

windows10-2004_x64

8

Sharing

General

Target

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676
Size

152KB
Sample

220612-f1c2rafhfl
MD5

8c49fb45ab38659a7e1c22685a2578c9
SHA1

9c2e7120232d29d7bb75797d8256dafb8bb424b1
SHA256

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676
SHA512

4189f9fa47a92eee0456ceb4f90ac595abc83eebd003cfd88980018ec50075683a6fff00f20c418801d50057d61363795bfa1d4794cc0e7794a3067baf3450bc

Score

10^/10

tofsee persistence trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe

Resource

win7-20220414-en

tofsee persistence trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676
- Size
  
  152KB
- MD5
  
  8c49fb45ab38659a7e1c22685a2578c9
- SHA1
  
  9c2e7120232d29d7bb75797d8256dafb8bb424b1
- SHA256
  
  2267e3a4b504a7cdf3c191f385a2233f40843ba18c06b7d745b8f78329537676
- SHA512
  
  4189f9fa47a92eee0456ceb4f90ac595abc83eebd003cfd88980018ec50075683a6fff00f20c418801d50057d61363795bfa1d4794cc0e7794a3067baf3450bc
Score

10^/10

tofsee persistence trojan upx
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseepersistencetrojanupx

behavioral2

© 2018-2024

Terms | Privacy