tofsee | 5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb | Triage

Submit
Reports

Overview

overview

Static

static

8

5412ce24db...cb.exe

windows7-x64

5412ce24db...cb.exe

windows10-2004-x64

8

Sharing

General

Target

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
Size

132KB
Sample

220725-y6j2csdfb4
MD5

3247288441b450a0be73b99371ffe5a4
SHA1

00b0844f6d2ab60df8884f77d02c92f05f83cb48
SHA256

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
SHA512

b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66

Score

10^/10

tofsee persistence trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe

Resource

win7-20220718-en

tofsee persistence trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb.exe

Resource

win10v2004-20220721-en

windows10-2004-x64

2 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
- Size
  
  132KB
- MD5
  
  3247288441b450a0be73b99371ffe5a4
- SHA1
  
  00b0844f6d2ab60df8884f77d02c92f05f83cb48
- SHA256
  
  5412ce24dba0bda8ea83426f4cd1c7e7bfea1d0dffb5b15b3801c7977539eccb
- SHA512
  
  b7099b098b966b64a07d70b7efe74486c804f969c5c6f96c80f269627fa8e69905c11f8ca725c2cdd1651940903d4a1b744606bace0576b24fa75074141a5a66
Score

10^/10

tofsee persistence trojan upx
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseepersistencetrojanupx

behavioral2

© 2018-2024

Terms | Privacy