tofsee | f76c8b1971b45aaed739c73c5d76fc5de20e236da84f6cbe531a6391445ccfe9 | Triage

Submit
Reports

Overview

overview

Static

static

8

f76c8b1971...e9.exe

windows7-x64

f76c8b1971...e9.exe

windows10-2004-x64

8

Sharing

General

Target

f76c8b1971b45aaed739c73c5d76fc5de20e236da84f6cbe531a6391445ccfe9
Size

256KB
Sample

221130-xpkqwsfd94
MD5

f6417df538fef21cf0bbf54153843bb8
SHA1

8399d35bc40be456d7093d8d631a96734fbae062
SHA256

f76c8b1971b45aaed739c73c5d76fc5de20e236da84f6cbe531a6391445ccfe9
SHA512

e9382b543ca84d26eebb644e6e8761392bc807faa933215585d4d258930482533bd4940a706ef01f17d0ca87517f21bdf101e704dba1101a1bc8f9b62b6cee04
SSDEEP

6144:bxpkdMYZ/cfvWpUdCi0AYX/m16gyn/oT:1nYpWWeci7z16VoT

Score

10^/10

tofsee persistence trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f76c8b1971b45aaed739c73c5d76fc5de20e236da84f6cbe531a6391445ccfe9.exe

Resource

win7-20221111-en

tofsee persistence trojan upx

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

f76c8b1971b45aaed739c73c5d76fc5de20e236da84f6cbe531a6391445ccfe9.exe

Resource

win10v2004-20220812-en

windows10-2004-x64

2 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

91.218.38.245

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  f76c8b1971b45aaed739c73c5d76fc5de20e236da84f6cbe531a6391445ccfe9
- Size
  
  256KB
- MD5
  
  f6417df538fef21cf0bbf54153843bb8
- SHA1
  
  8399d35bc40be456d7093d8d631a96734fbae062
- SHA256
  
  f76c8b1971b45aaed739c73c5d76fc5de20e236da84f6cbe531a6391445ccfe9
- SHA512
  
  e9382b543ca84d26eebb644e6e8761392bc807faa933215585d4d258930482533bd4940a706ef01f17d0ca87517f21bdf101e704dba1101a1bc8f9b62b6cee04
- SSDEEP
  
  6144:bxpkdMYZ/cfvWpUdCi0AYX/m16gyn/oT:1nYpWWeci7z16VoT
Score

10^/10

tofsee persistence trojan upx
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseepersistencetrojanupx

behavioral2

© 2018-2024

Terms | Privacy