tofsee | 820b43708e064c1a6eb1eeb411b011e900fcd162afdd55d077ef619777a9d12b | Triage

Sharing

General

Target

820b43708e064c1a6eb1eeb411b011e900fcd162afdd55d077ef619777a9d12b
Size

10.2MB
Sample

220719-ky6nhaaba5
MD5

1e8fbe02f284b3c2e591e29f1e1de377
SHA1

27750d8df6cacbce285525556e00579b67ace994
SHA256

820b43708e064c1a6eb1eeb411b011e900fcd162afdd55d077ef619777a9d12b
SHA512

59b8ed39fab69bcac36a07d2116c893e215759218b98e61c1955874ba84954e5f5f23289b7ee7c57b9b10e12cc9efe02515760eac819b4e0ce129bb11ef92322

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  820b43708e064c1a6eb1eeb411b011e900fcd162afdd55d077ef619777a9d12b
- Size
  
  10.2MB
- MD5
  
  1e8fbe02f284b3c2e591e29f1e1de377
- SHA1
  
  27750d8df6cacbce285525556e00579b67ace994
- SHA256
  
  820b43708e064c1a6eb1eeb411b011e900fcd162afdd55d077ef619777a9d12b
- SHA512
  
  59b8ed39fab69bcac36a07d2116c893e215759218b98e61c1955874ba84954e5f5f23289b7ee7c57b9b10e12cc9efe02515760eac819b4e0ce129bb11ef92322
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan