tofsee | 295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11 | Triage

Sharing

General

Target

295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11
Size

342KB
Sample

220615-rzhfmaeab5
MD5

9b2b3970effdd49a3194b83a272b29bd
SHA1

9c141b488d126a2e7f25b541d14307acec0e6262
SHA256

295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11
SHA512

005dc7ff7bedbb07add0f048690dae179f17421e20ec9f3f63c5f54c65966752a9e46dc062ecbdbcbca7dd92591ac70822eb21c595ef453752ef878cf15a8d7c

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11
- Size
  
  342KB
- MD5
  
  9b2b3970effdd49a3194b83a272b29bd
- SHA1
  
  9c141b488d126a2e7f25b541d14307acec0e6262
- SHA256
  
  295f2e7a08269def791aa11bfafa9d73e36ac9fa6dd292f2b62b1bcf8758aa11
- SHA512
  
  005dc7ff7bedbb07add0f048690dae179f17421e20ec9f3f63c5f54c65966752a9e46dc062ecbdbcbca7dd92591ac70822eb21c595ef453752ef878cf15a8d7c
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan