tofsee | e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757 | Triage

Sharing

General

Target

e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757
Size

300KB
Sample

220619-h78s4sgah9
MD5

925e5cc6c24e1e19a63e0864fb3b0b7e
SHA1

50b910f1c263181179dcd374116384309c1452bd
SHA256

e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757
SHA512

f91c1a890f74dd637bc1a99f13a2c0de522a088246a10e065c2246bb531082ce872205520843386125e1421d456243885466a1307985446a82ec223b42f71246

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757
- Size
  
  300KB
- MD5
  
  925e5cc6c24e1e19a63e0864fb3b0b7e
- SHA1
  
  50b910f1c263181179dcd374116384309c1452bd
- SHA256
  
  e9941d6066edc610eeab228d15dc7cea14d2613d5005e2040ba49d510c012757
- SHA512
  
  f91c1a890f74dd637bc1a99f13a2c0de522a088246a10e065c2246bb531082ce872205520843386125e1421d456243885466a1307985446a82ec223b42f71246
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Privilege Escalation

New Service

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan