tofsee | d5a45f5fbe4d0679d208908a1282e6675456cf565b427d886cab0b2fdf92c21b | Triage

Sharing

General

Target

3-psltrtbl
Size

14.9MB
Sample

220802-xywvhsabf9
MD5

b43621f4b65408c95be2bb609f310f37
SHA1

9bb79973daf63550d3f403c10f6be0a57f797b7f
SHA256

d5a45f5fbe4d0679d208908a1282e6675456cf565b427d886cab0b2fdf92c21b
SHA512

9d09de7115fca7316815c7fcfea2c431bfeccea2629aa3878ea52bd241f1ea8b60bda70828420ced7e0cfd3fbf9bb032a8656d2085afcd748cfbd6ba4e1cb04e

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  3-psltrtbl
- Size
  
  14.9MB
- MD5
  
  b43621f4b65408c95be2bb609f310f37
- SHA1
  
  9bb79973daf63550d3f403c10f6be0a57f797b7f
- SHA256
  
  d5a45f5fbe4d0679d208908a1282e6675456cf565b427d886cab0b2fdf92c21b
- SHA512
  
  9d09de7115fca7316815c7fcfea2c431bfeccea2629aa3878ea52bd241f1ea8b60bda70828420ced7e0cfd3fbf9bb032a8656d2085afcd748cfbd6ba4e1cb04e
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan