tofsee | 5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0 | Triage

Submit
Reports

Overview

overview

Static

static

5ff46bca8d...f0.exe

windows7-x64

5ff46bca8d...f0.exe

windows10-2004-x64

Sharing

General

Target

5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0
Size

150KB
Sample

220731-jr651sgcem
MD5

0c3e9598600bccf1d8b874bdda869bca
SHA1

aeb7cd8f3f96fc4113fed76d86fa2434f2069e5e
SHA256

5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0
SHA512

6a47074a26686433edd0ebdc0573fb3541328cecc2f87421c49bf2c0a5087e36ce3a9f7d3438c37229f9b182f31e3509cd5e3c4941583a946ea777cb5909fb31

Score

10^/10

tofsee evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe

Resource

win7-20220715-en

tofsee evasion persistence trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0.exe

Resource

win10v2004-20220721-en

tofsee evasion persistence trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0
- Size
  
  150KB
- MD5
  
  0c3e9598600bccf1d8b874bdda869bca
- SHA1
  
  aeb7cd8f3f96fc4113fed76d86fa2434f2069e5e
- SHA256
  
  5ff46bca8d033a58673c281fa26b7158c1d11ba6eca99a1553e2651fbb0256f0
- SHA512
  
  6a47074a26686433edd0ebdc0573fb3541328cecc2f87421c49bf2c0a5087e36ce3a9f7d3438c37229f9b182f31e3509cd5e3c4941583a946ea777cb5909fb31
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan

© 2018-2024

Terms | Privacy