tofsee | e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54 | Triage

Sharing

General

Target

file.exe
Size

147KB
Sample

221126-j29znaha8v
MD5

4eb62a4c6ef0b767b031754502a53d39
SHA1

1031001a9972fadf5308ade23eaa3010a168c256
SHA256

e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54
SHA512

d5765daac7a19123e203e0f7e90c2ed43e6aebb1246c5516b7141f526a007a3d06310e278ebf2e0dece2e0a0446a602fea22a537d4caa6f79aa2625e23859047
SSDEEP

3072:YrEIFtEGVCjl65U0o000FBUFfmEeVdvw46LkxC:HZGVy0o000FBUYnvwL

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  file.exe
- Size
  
  147KB
- MD5
  
  4eb62a4c6ef0b767b031754502a53d39
- SHA1
  
  1031001a9972fadf5308ade23eaa3010a168c256
- SHA256
  
  e8ee109e27398ee0a3db27958f243924c1bba9523919c375a49e606acc53cc54
- SHA512
  
  d5765daac7a19123e203e0f7e90c2ed43e6aebb1246c5516b7141f526a007a3d06310e278ebf2e0dece2e0a0446a602fea22a537d4caa6f79aa2625e23859047
- SSDEEP
  
  3072:YrEIFtEGVCjl65U0o000FBUFfmEeVdvw46LkxC:HZGVy0o000FBUYnvwL
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan