tofsee | c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59 | Triage

Sharing

General

Target

c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59
Size

1.1MB
Sample

221003-clb95abgc8
MD5

676ed17e4e879a2a2f78da41b16acd70
SHA1

fd2b588155e082521c69b2d272f5bfc23e04a5bb
SHA256

c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59
SHA512

32c0d04253331fbb0e921a7c643b9cd2bba326dee2b15fd0d2d63bf82fabe2f4248d1bf1b6fa430df3d4cc37c4b5b9b32c7bf310269f676c7a829fffe0515d3c
SSDEEP

3072:q2Epu+/YrezMHLJfDZy0s3cccccccccccccccccccccccccccccccccccccccccv:qFp6X91si7

Score

10^/10

tofsee trojan

Malware Config

Extracted

Family

tofsee

C2

43.225.38.217

111.121.193.242

188.190.120.101

188.165.132.183

213.155.0.208

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59
- Size
  
  1.1MB
- MD5
  
  676ed17e4e879a2a2f78da41b16acd70
- SHA1
  
  fd2b588155e082521c69b2d272f5bfc23e04a5bb
- SHA256
  
  c9e2a9bfb83ccd0d1d37d99af25b4c163338143d1cf6c041c10f87b0f3974b59
- SHA512
  
  32c0d04253331fbb0e921a7c643b9cd2bba326dee2b15fd0d2d63bf82fabe2f4248d1bf1b6fa430df3d4cc37c4b5b9b32c7bf310269f676c7a829fffe0515d3c
- SSDEEP
  
  3072:q2Epu+/YrezMHLJfDZy0s3cccccccccccccccccccccccccccccccccccccccccv:qFp6X91si7
Score

10^/10

tofsee trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2