tofsee | d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a | Triage

Sharing

General

Target

d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a
Size

169KB
Sample

221203-etre5agf61
MD5

d32ba71dfd5df6fc649515bbb0ba16bc
SHA1

dd0738787a869066c025b836ae631e5f883a5170
SHA256

d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a
SHA512

49ee9e6416745bd0c8c1a25ee438d38d3f87ab82671775de213ba093f08bce31f8c3cd9ca847f10b6cef58b90963fd2f8097a3aaf0ce39f68bbddebb490a5278
SSDEEP

3072:TNnz4Uk1hIMY8JCLiwMiCjcLUZtHdnXzN2yWTtpFfhYL:TNXkJY8JGC4UzQZtpFhYL

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

64.20.54.234

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a
- Size
  
  169KB
- MD5
  
  d32ba71dfd5df6fc649515bbb0ba16bc
- SHA1
  
  dd0738787a869066c025b836ae631e5f883a5170
- SHA256
  
  d228aa5ef0b9200d668914034d9b3cee75ec0c1c8d70eca0fb00d31ebf7a211a
- SHA512
  
  49ee9e6416745bd0c8c1a25ee438d38d3f87ab82671775de213ba093f08bce31f8c3cd9ca847f10b6cef58b90963fd2f8097a3aaf0ce39f68bbddebb490a5278
- SSDEEP
  
  3072:TNnz4Uk1hIMY8JCLiwMiCjcLUZtHdnXzN2yWTtpFfhYL:TNXkJY8JGC4UzQZtpFhYL
Score

10^/10

tofsee persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseepersistencetrojan

behavioral2