tofsee | c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd | Triage

Sharing

General

Target

c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd
Size

192KB
Sample

221123-hl3d7shf2s
MD5

da9f474b3a4d1af9d30a5101b652bbda
SHA1

6797f6e40f5439d15bfc94a53838983f8115b30a
SHA256

c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd
SHA512

676e790d05ed03d0c6122980c962cf9e2368e5dbf734c4760e481d55698b79c3065b00d561617f1accff2c0ba06ad91cd32c44ce9c28fb8aeb21141a52946280
SSDEEP

3072:8c1EtBBRhiEkEq5NqNWx4zVybl4v9G1riZkn4O5Iwuk0yGglr:TOBz2NNyEwkncwupjglr

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

64.20.54.234

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd
- Size
  
  192KB
- MD5
  
  da9f474b3a4d1af9d30a5101b652bbda
- SHA1
  
  6797f6e40f5439d15bfc94a53838983f8115b30a
- SHA256
  
  c146acf3e7e01c34f65f7628316a63446b5a00469a038423de8cde79181a8fdd
- SHA512
  
  676e790d05ed03d0c6122980c962cf9e2368e5dbf734c4760e481d55698b79c3065b00d561617f1accff2c0ba06ad91cd32c44ce9c28fb8aeb21141a52946280
- SSDEEP
  
  3072:8c1EtBBRhiEkEq5NqNWx4zVybl4v9G1riZkn4O5Iwuk0yGglr:TOBz2NNyEwkncwupjglr
Score

10^/10

tofsee persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseepersistencetrojan

behavioral2