tofsee | 204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257 | Triage

Sharing

General

Target

204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257
Size

143KB
Sample

220612-p724wsgga6
MD5

6a07816512f5c3fc626e4f8fcc9b0058
SHA1

217533c5246f3133256dbf6cf09f450bd7e3edcd
SHA256

204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257
SHA512

1e65a4680b1e3e2fb94e3a7e0fe53189ebe306bfe61d2a18b3ae4226e28078cd37ad0fcaba58de5b0b542d205b9152c26e32cd596e2954f29cb200b816bfc721

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257
- Size
  
  143KB
- MD5
  
  6a07816512f5c3fc626e4f8fcc9b0058
- SHA1
  
  217533c5246f3133256dbf6cf09f450bd7e3edcd
- SHA256
  
  204e71a886288bb5d37336b601c608f2b2ce3b8cf3003adef9a3db70d13f0257
- SHA512
  
  1e65a4680b1e3e2fb94e3a7e0fe53189ebe306bfe61d2a18b3ae4226e28078cd37ad0fcaba58de5b0b542d205b9152c26e32cd596e2954f29cb200b816bfc721
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan