tofsee | 25ed67b390cafbd1ebcebed4c9cad13c38e6998c45e501e23d6652ac04bb69ef | Triage

Sharing

General

Target

097bc3c7d6f6f50a503fdb7a56e22a34
Size

312KB
Sample

230507-z15asahf4x
MD5

097bc3c7d6f6f50a503fdb7a56e22a34
SHA1

bc801204c76b73ee9e66a9a7bdffd856965604e0
SHA256

25ed67b390cafbd1ebcebed4c9cad13c38e6998c45e501e23d6652ac04bb69ef
SHA512

7dedbefbe0a0af1d1541374a1a8916eb45d6037c15b8ae36ed28c4dfc0a9d22f5062b584b856b8d32cf5d675f1a718b31b029dc5abcea4c40d8925ae42f05eea
SSDEEP

3072:6AX8ODio3+FCLQbFK+OCQ/KbqAjxBn7UJIdg6hO3Vd+eVRg/5wcw3P3XqT:vPDl5L0FKBDKbzBYd6upvG

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  097bc3c7d6f6f50a503fdb7a56e22a34
- Size
  
  312KB
- MD5
  
  097bc3c7d6f6f50a503fdb7a56e22a34
- SHA1
  
  bc801204c76b73ee9e66a9a7bdffd856965604e0
- SHA256
  
  25ed67b390cafbd1ebcebed4c9cad13c38e6998c45e501e23d6652ac04bb69ef
- SHA512
  
  7dedbefbe0a0af1d1541374a1a8916eb45d6037c15b8ae36ed28c4dfc0a9d22f5062b584b856b8d32cf5d675f1a718b31b029dc5abcea4c40d8925ae42f05eea
- SSDEEP
  
  3072:6AX8ODio3+FCLQbFK+OCQ/KbqAjxBn7UJIdg6hO3Vd+eVRg/5wcw3P3XqT:vPDl5L0FKBDKbzBYd6upvG
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan