tofsee | 5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839 | Triage

Sharing

General

Target

5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839
Size

106KB
Sample

220725-vdrnysbbak
MD5

8c122278e768601f20f1e9f6c407cce2
SHA1

a3f99a111ad0a22614a10337ef807607262aea61
SHA256

5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839
SHA512

11a1e995193b09ca342bb7a0c3203c0a41b7d83260666b8ac460c14c7c74c8683b00e407ddb97cceba87fb442635807b70eb9581326f886e6b673bee72096173

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839
- Size
  
  106KB
- MD5
  
  8c122278e768601f20f1e9f6c407cce2
- SHA1
  
  a3f99a111ad0a22614a10337ef807607262aea61
- SHA256
  
  5527e07895f412771ae4350dfa825e5d08140073600ebd6aa321276b737cc839
- SHA512
  
  11a1e995193b09ca342bb7a0c3203c0a41b7d83260666b8ac460c14c7c74c8683b00e407ddb97cceba87fb442635807b70eb9581326f886e6b673bee72096173
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan