tofsee | b30d031ba00884201f134275fba470347847c79c202730a99aba28ba0af5164d | Triage

Sharing

General

Target

Backdoor.Win32.Tofsee.vxxb30d031ba00884201f134275fba470347847c79c202730a99aba28ba0af5164d
Size

156KB
Sample

230507-gy9tdafh87
MD5

5a1b9badb9af104e121379fe3c7f7e4c
SHA1

0d4e9cc2af85424606ddb981c3060f19f7aa834b
SHA256

b30d031ba00884201f134275fba470347847c79c202730a99aba28ba0af5164d
SHA512

049b178dd0a9697e94cba8895dc7ab28f4a754140f777781fdc2213348874f47234e8d5addf332c52396a20ead98ad1e147855a9b0abc4c2d18e6cc239d0454a
SSDEEP

3072:jcyXKgAPWYnaqlhdlEMOMk3M1HhyOGxx:jcQKgAvaudyMOv2yO

Score

10^/10

tofsee persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.225.38.217

111.121.193.242

188.190.120.101

188.165.132.183

213.155.0.208

rgtryhbgddtyh.biz

wertdghbyrukl.ch

Targets

- Target
  
  Backdoor.Win32.Tofsee.vxxb30d031ba00884201f134275fba470347847c79c202730a99aba28ba0af5164d
- Size
  
  156KB
- MD5
  
  5a1b9badb9af104e121379fe3c7f7e4c
- SHA1
  
  0d4e9cc2af85424606ddb981c3060f19f7aa834b
- SHA256
  
  b30d031ba00884201f134275fba470347847c79c202730a99aba28ba0af5164d
- SHA512
  
  049b178dd0a9697e94cba8895dc7ab28f4a754140f777781fdc2213348874f47234e8d5addf332c52396a20ead98ad1e147855a9b0abc4c2d18e6cc239d0454a
- SSDEEP
  
  3072:jcyXKgAPWYnaqlhdlEMOMk3M1HhyOGxx:jcQKgAvaudyMOv2yO
Score

10^/10

tofsee persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseepersistencetrojan

behavioral2