tofsee | 427c66d2a89ca69ac4bdc8b2999fff9839ae096126038dd2e7058247a5a201eb | Triage

Sharing

General

Target

427c66d2a89ca69ac4bdc8b2999fff9839ae096126038dd2e7058247a5a201eb
Size

116KB
Sample

221202-etxbdace67
MD5

7fd1ae51db3d7a3922351bb51cbb2eed
SHA1

83326d0e6345302f0c2a20aed5a85db17f3c53cf
SHA256

427c66d2a89ca69ac4bdc8b2999fff9839ae096126038dd2e7058247a5a201eb
SHA512

4961469b70c75c36ec5c5fd528dcf93c8223b351bdaf20f08c3a168ab97187b34084fe4ebd5f0fdbc4df4ff0770e37d8c1d3c0ffbc766775c1102c726c160852
SSDEEP

1536:ocax2pMx6WFL+qt5d+CWu7ccW5s9iysjFtkdGjZy7AdwOGp0:z0d7WugS9WFgorGu

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

103.9.150.244

188.190.120.102

121.127.250.203

188.165.132.183

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  427c66d2a89ca69ac4bdc8b2999fff9839ae096126038dd2e7058247a5a201eb
- Size
  
  116KB
- MD5
  
  7fd1ae51db3d7a3922351bb51cbb2eed
- SHA1
  
  83326d0e6345302f0c2a20aed5a85db17f3c53cf
- SHA256
  
  427c66d2a89ca69ac4bdc8b2999fff9839ae096126038dd2e7058247a5a201eb
- SHA512
  
  4961469b70c75c36ec5c5fd528dcf93c8223b351bdaf20f08c3a168ab97187b34084fe4ebd5f0fdbc4df4ff0770e37d8c1d3c0ffbc766775c1102c726c160852
- SSDEEP
  
  1536:ocax2pMx6WFL+qt5d+CWu7ccW5s9iysjFtkdGjZy7AdwOGp0:z0d7WugS9WFgorGu
Score

10^/10

tofsee persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseepersistencetrojan

behavioral2

tofseepersistencetrojan