tofsee | 64718218c2c2a864e735efef319a027d31d276fe498491ea2f7100aabc8630ca | Triage

Sharing

General

Target

64718218c2c2a864e735efef319a027d31d276fe498491ea2f7100aabc8630ca
Size

144KB
Sample

221127-2lv5nshg4s
MD5

737df649faa5d026ae26e837690c3e89
SHA1

fbd6325b13539cfdb329fed8aa25a6c93f7d9e1f
SHA256

64718218c2c2a864e735efef319a027d31d276fe498491ea2f7100aabc8630ca
SHA512

013f4dfa7b79b10cdd4d1d94f44c4b00a24525a0ea4c902cbaded579833d37d7c42b8d218467dacf2ecc412d97fa69ecbc744e22eae14e700c1b7c74f413f4de
SSDEEP

3072:AGfhb5J7KogC+5pezA4skgTayJim9J52WamPk/Gmv64Ov:JhX7Kog/OsWoEWamPkNvi

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  64718218c2c2a864e735efef319a027d31d276fe498491ea2f7100aabc8630ca
- Size
  
  144KB
- MD5
  
  737df649faa5d026ae26e837690c3e89
- SHA1
  
  fbd6325b13539cfdb329fed8aa25a6c93f7d9e1f
- SHA256
  
  64718218c2c2a864e735efef319a027d31d276fe498491ea2f7100aabc8630ca
- SHA512
  
  013f4dfa7b79b10cdd4d1d94f44c4b00a24525a0ea4c902cbaded579833d37d7c42b8d218467dacf2ecc412d97fa69ecbc744e22eae14e700c1b7c74f413f4de
- SSDEEP
  
  3072:AGfhb5J7KogC+5pezA4skgTayJim9J52WamPk/Gmv64Ov:JhX7Kog/OsWoEWamPkNvi
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Privilege Escalation

New Service

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan