tofsee | c3eb0cc7e11b14803230e0cfefc144399b6ef5c9440591dd73507a538833420c | Triage

Sharing

General

Target

c3eb0cc7e11b14803230e0cfefc144399b6ef5c9440591dd73507a538833420c
Size

85KB
Sample

221203-xd3sbsad9t
MD5

029c4fc49137543e0112051bf266e9f4
SHA1

baf14d9d7c63b5b92f3a0955c9a814a0dc417f8f
SHA256

c3eb0cc7e11b14803230e0cfefc144399b6ef5c9440591dd73507a538833420c
SHA512

f21b71e9e7c2f75ec411442f257f9bdc586de7fd826d1d9e5202a6babddc211edab37989d12221d83b76470d2ed40afbe78563d9b149fd7acb1d61bd54ab8e1f
SSDEEP

1536:auiRUnDzjFUic6xZl3aBbnBvlUqItARBLx1BH8WOEN96nsoikHygz:alOnDzjJlqhLUpA3L5cvM8yi

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

94.75.255.140

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  c3eb0cc7e11b14803230e0cfefc144399b6ef5c9440591dd73507a538833420c
- Size
  
  85KB
- MD5
  
  029c4fc49137543e0112051bf266e9f4
- SHA1
  
  baf14d9d7c63b5b92f3a0955c9a814a0dc417f8f
- SHA256
  
  c3eb0cc7e11b14803230e0cfefc144399b6ef5c9440591dd73507a538833420c
- SHA512
  
  f21b71e9e7c2f75ec411442f257f9bdc586de7fd826d1d9e5202a6babddc211edab37989d12221d83b76470d2ed40afbe78563d9b149fd7acb1d61bd54ab8e1f
- SSDEEP
  
  1536:auiRUnDzjFUic6xZl3aBbnBvlUqItARBLx1BH8WOEN96nsoikHygz:alOnDzjJlqhLUpA3L5cvM8yi
Score

10^/10

tofsee persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseepersistencetrojan

behavioral2