tofsee | e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b | Triage

Sharing

General

Target

e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b
Size

116KB
Sample

221201-mbeydacf8z
MD5

4c79627d173e65b9f8a540862cec94b6
SHA1

e8ccc199f9c837f87abac347f7c7e148852ee8ea
SHA256

e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b
SHA512

bb3df0154d928e331f449bbdc2c85e82e9633db7408904039ffdb82ff55e16100eea48ed184b3aa70e38fb646d7b2c7c768cdee98bc1b8b342ceedd663de894e
SSDEEP

1536:LazW9cONBCMUUHTYT2n3oJJpG7V8JtYNvZL3HHjLvlz:+zW9cnMUyTYzG7V87YNvZTHH3vlz

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.9.150.244

188.190.120.102

121.127.250.203

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b
- Size
  
  116KB
- MD5
  
  4c79627d173e65b9f8a540862cec94b6
- SHA1
  
  e8ccc199f9c837f87abac347f7c7e148852ee8ea
- SHA256
  
  e454df81b23d84eca8cfbca9661e8e1714ae04c3c5d236d603f9f40b0c93533b
- SHA512
  
  bb3df0154d928e331f449bbdc2c85e82e9633db7408904039ffdb82ff55e16100eea48ed184b3aa70e38fb646d7b2c7c768cdee98bc1b8b342ceedd663de894e
- SSDEEP
  
  1536:LazW9cONBCMUUHTYT2n3oJJpG7V8JtYNvZL3HHjLvlz:+zW9cnMUyTYzG7V87YNvZTHH3vlz
Score

10^/10

tofsee persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseepersistencetrojan

behavioral2

tofseepersistencetrojan