tofsee | e86b987fdd4dd09bb9168653a750e7a8dc3d2f491b839496d8c6ec14c52df94a | Triage

Submit
Reports

Overview

overview

Static

static

8

e86b987fdd...4a.exe

windows7-x64

e86b987fdd...4a.exe

windows10-2004-x64

8

Sharing

General

Target

e86b987fdd4dd09bb9168653a750e7a8dc3d2f491b839496d8c6ec14c52df94a
Size

130KB
Sample

221130-sh684adg21
MD5

f20c2e5c40d100b840e9df5cacdcfde4
SHA1

661220e497bdb6dfcc52b48aa5d9f888db19595e
SHA256

e86b987fdd4dd09bb9168653a750e7a8dc3d2f491b839496d8c6ec14c52df94a
SHA512

9d3e57a14bcb876068cdb1b1c864b102c00ebe73a1d56bd5dc05078501506fc2fb67d77bdaba1a382862b01890f8bb2fcfa48a134bdb60bae7e448acef52c6c3
SSDEEP

3072:GvNN0cMdYQ3QRi6yxZ2pHbvxWEXYff78ROm8Mxq:IN0ndYsQRXJWEXYcnj

Score

10^/10

tofsee persistence trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e86b987fdd4dd09bb9168653a750e7a8dc3d2f491b839496d8c6ec14c52df94a.exe

Resource

win7-20221111-en

tofsee persistence trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

e86b987fdd4dd09bb9168653a750e7a8dc3d2f491b839496d8c6ec14c52df94a.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

2 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  e86b987fdd4dd09bb9168653a750e7a8dc3d2f491b839496d8c6ec14c52df94a
- Size
  
  130KB
- MD5
  
  f20c2e5c40d100b840e9df5cacdcfde4
- SHA1
  
  661220e497bdb6dfcc52b48aa5d9f888db19595e
- SHA256
  
  e86b987fdd4dd09bb9168653a750e7a8dc3d2f491b839496d8c6ec14c52df94a
- SHA512
  
  9d3e57a14bcb876068cdb1b1c864b102c00ebe73a1d56bd5dc05078501506fc2fb67d77bdaba1a382862b01890f8bb2fcfa48a134bdb60bae7e448acef52c6c3
- SSDEEP
  
  3072:GvNN0cMdYQ3QRi6yxZ2pHbvxWEXYff78ROm8Mxq:IN0ndYsQRXJWEXYcnj
Score

10^/10

tofsee persistence trojan upx
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseepersistencetrojanupx

behavioral2

© 2018-2024

Terms | Privacy