tofsee | 997f091cec1b6b0ca4c760582289f88fc845072e15d22fb9ebbc70d8a411eb34 | Triage

Sharing

General

Target

file
Size

167KB
Sample

221125-3geskahf3y
MD5

db37e2dceca24b2a30667e7a26816e5a
SHA1

a52d6f9718d4cb71f623f463cd590f76ad04878c
SHA256

997f091cec1b6b0ca4c760582289f88fc845072e15d22fb9ebbc70d8a411eb34
SHA512

b1f0795046296ce3ded9b195d40308999d3800f6886abff6730df2a047f30d3188828b48bd697069f51f038d8ff876d69e07563ef242070b30e219dce04b948c
SSDEEP

3072:MVtkj/2yjSgA2EVu5W+L/l5JYmsd//FuJpXxS5osnN:MnK+gA2EIL/lYZFupXI/

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  file
- Size
  
  167KB
- MD5
  
  db37e2dceca24b2a30667e7a26816e5a
- SHA1
  
  a52d6f9718d4cb71f623f463cd590f76ad04878c
- SHA256
  
  997f091cec1b6b0ca4c760582289f88fc845072e15d22fb9ebbc70d8a411eb34
- SHA512
  
  b1f0795046296ce3ded9b195d40308999d3800f6886abff6730df2a047f30d3188828b48bd697069f51f038d8ff876d69e07563ef242070b30e219dce04b948c
- SSDEEP
  
  3072:MVtkj/2yjSgA2EVu5W+L/l5JYmsd//FuJpXxS5osnN:MnK+gA2EIL/lYZFupXI/
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan