tofsee | 2ea3f9f2f531dc5153dd2e93f7cc763ce3e425c67eb64dcd06f5204598649b59 | Triage

Sharing

General

Target

2ea3f9f2f531dc5153dd2e93f7cc763ce3e425c67eb64dcd06f5204598649b59
Size

142KB
Sample

220622-jfmx1aafdr
MD5

5e40852b1b836ae50ea61b4dc56124e9
SHA1

b01babd89da56da58ae26ea756bfe6dbdbc917d5
SHA256

2ea3f9f2f531dc5153dd2e93f7cc763ce3e425c67eb64dcd06f5204598649b59
SHA512

7e57324bafde20171129bd0a873654cece5827e93a00423bf98a89612343cd483fd67556dedaa72c5ae92f2a603c9dfab880881d986722d1403c508b523bc276

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2ea3f9f2f531dc5153dd2e93f7cc763ce3e425c67eb64dcd06f5204598649b59
- Size
  
  142KB
- MD5
  
  5e40852b1b836ae50ea61b4dc56124e9
- SHA1
  
  b01babd89da56da58ae26ea756bfe6dbdbc917d5
- SHA256
  
  2ea3f9f2f531dc5153dd2e93f7cc763ce3e425c67eb64dcd06f5204598649b59
- SHA512
  
  7e57324bafde20171129bd0a873654cece5827e93a00423bf98a89612343cd483fd67556dedaa72c5ae92f2a603c9dfab880881d986722d1403c508b523bc276
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2