tofsee | c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a | Triage

Sharing

General

Target

file.exe
Size

277KB
Sample

221202-f93nrsgh54
MD5

f45d7484b380f381a87585575c7db43a
SHA1

bf539ad755fe1524219d2c4ea59ab7f141b812ba
SHA256

c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a
SHA512

4f818cec22ded75b20128891c7e5c6242cbb6e2da89e2909ffbef7257be894b0339389ad8d2fa451bfbf617e56a1dcab1c8c1ceeb01ca551b3d5ab2c4a5c597d
SSDEEP

6144:r+MLF21xnMnD4j/A2AO8E4rOKnuRjMgU:rJx27MD4jZU/uRQg

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  file.exe
- Size
  
  277KB
- MD5
  
  f45d7484b380f381a87585575c7db43a
- SHA1
  
  bf539ad755fe1524219d2c4ea59ab7f141b812ba
- SHA256
  
  c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a
- SHA512
  
  4f818cec22ded75b20128891c7e5c6242cbb6e2da89e2909ffbef7257be894b0339389ad8d2fa451bfbf617e56a1dcab1c8c1ceeb01ca551b3d5ab2c4a5c597d
- SSDEEP
  
  6144:r+MLF21xnMnD4j/A2AO8E4rOKnuRjMgU:rJx27MD4jZU/uRQg
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan