tofsee | 4e41be7919494e0b7e8d3417301228bb0918448e8ab0231bc51aee61f5d2703c | Triage

Sharing

General

Target

4e41be7919494e0b7e8d3417301228bb0918448e8ab0231bc51aee61f5d2703c
Size

142KB
Sample

220720-ws439seca3
MD5

af23172c56640088451aa6ddd47fd779
SHA1

cdde3744c19b8ec13539ec3e62cdc052136e9681
SHA256

4e41be7919494e0b7e8d3417301228bb0918448e8ab0231bc51aee61f5d2703c
SHA512

82194af5df87f1f850d875300080b945c395e4b0e67ed3eca9f0b83d7ad8fddd88e59200e3ddaa6f5096c5da7aa15a9a9620959b92b6f5b2c85add696812f8a7

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  4e41be7919494e0b7e8d3417301228bb0918448e8ab0231bc51aee61f5d2703c
- Size
  
  142KB
- MD5
  
  af23172c56640088451aa6ddd47fd779
- SHA1
  
  cdde3744c19b8ec13539ec3e62cdc052136e9681
- SHA256
  
  4e41be7919494e0b7e8d3417301228bb0918448e8ab0231bc51aee61f5d2703c
- SHA512
  
  82194af5df87f1f850d875300080b945c395e4b0e67ed3eca9f0b83d7ad8fddd88e59200e3ddaa6f5096c5da7aa15a9a9620959b92b6f5b2c85add696812f8a7
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan