tofsee | 15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a | Triage

Sharing

General

Target

file.exe
Size

299KB
Sample

230206-2fx23sbd9w
MD5

f4d9f3f1009be26ad902f44ac9082c4e
SHA1

9814e5e8e6ce762b7e0544f8f44d1eddd9658415
SHA256

15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a
SHA512

c09ec10ea165108655f52c1e001d37777c66ff205cd8936c79f5991e838ec29cc76d0ad8c7b7c129ef3fa41007559c3869d7483f5ae3fbb52d0ffe60a95208c6
SSDEEP

6144:COUmLTe6RYq4N306/C/ryGOhXDuQj96oah:CBmvjYjNda2GOhXDljD

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  file.exe
- Size
  
  299KB
- MD5
  
  f4d9f3f1009be26ad902f44ac9082c4e
- SHA1
  
  9814e5e8e6ce762b7e0544f8f44d1eddd9658415
- SHA256
  
  15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a
- SHA512
  
  c09ec10ea165108655f52c1e001d37777c66ff205cd8936c79f5991e838ec29cc76d0ad8c7b7c129ef3fa41007559c3869d7483f5ae3fbb52d0ffe60a95208c6
- SSDEEP
  
  6144:COUmLTe6RYq4N306/C/ryGOhXDuQj96oah:CBmvjYjNda2GOhXDljD
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan