tofsee | 3f7bb036eef312a9c1fca60105f1b87235dc8b14d617e415f95a7043f9efe917 | Triage

Sharing

General

Target

3f7bb036eef312a9c1fca60105f1b87235dc8b14d617e415f95a7043f9efe917
Size

137KB
Sample

220701-bt8gvsgaf3
MD5

708dc91ee0b8a61718e9991a1396b23f
SHA1

d7bd310fd1a8ba9500c00b4e7626aa780552d26c
SHA256

3f7bb036eef312a9c1fca60105f1b87235dc8b14d617e415f95a7043f9efe917
SHA512

569e90713153b268f2cdcb12e78156facdcda6e936ae45e0032d317efe9d8d442d53335ab7e37514cb800d9885d5c575209b2a64e098e69c4c4db20f927f7278

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  3f7bb036eef312a9c1fca60105f1b87235dc8b14d617e415f95a7043f9efe917
- Size
  
  137KB
- MD5
  
  708dc91ee0b8a61718e9991a1396b23f
- SHA1
  
  d7bd310fd1a8ba9500c00b4e7626aa780552d26c
- SHA256
  
  3f7bb036eef312a9c1fca60105f1b87235dc8b14d617e415f95a7043f9efe917
- SHA512
  
  569e90713153b268f2cdcb12e78156facdcda6e936ae45e0032d317efe9d8d442d53335ab7e37514cb800d9885d5c575209b2a64e098e69c4c4db20f927f7278
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan