tofsee | 63e235b92d97d6c3d5a5dca42f31279b674d3140affc1e26c5971d12fc1d7667 | Triage

Sharing

General

Target

file
Size

298KB
Sample

230508-hh4svshc94
MD5

b7c137a18093f43fa0ac50865cc34f9c
SHA1

93727de39d92f6934d4ddee26728b207a212428e
SHA256

63e235b92d97d6c3d5a5dca42f31279b674d3140affc1e26c5971d12fc1d7667
SHA512

40683347b6f3dd2f18d15d5bfaa64d98f6ca88d1497bac811483366c59e5c786914dd32445981f774666b20053390f18d5a01f278162ba85bf75866edf6c95d6
SSDEEP

3072:/UgGk8D2CKiH+U3XmE5kDOXkqVDE/zpUp+rqdyy76kgREiwUP7A6qVxWm5iT/Hrq:Ret/X/GDwpELm04B710Ej2qVA8i

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  file
- Size
  
  298KB
- MD5
  
  b7c137a18093f43fa0ac50865cc34f9c
- SHA1
  
  93727de39d92f6934d4ddee26728b207a212428e
- SHA256
  
  63e235b92d97d6c3d5a5dca42f31279b674d3140affc1e26c5971d12fc1d7667
- SHA512
  
  40683347b6f3dd2f18d15d5bfaa64d98f6ca88d1497bac811483366c59e5c786914dd32445981f774666b20053390f18d5a01f278162ba85bf75866edf6c95d6
- SSDEEP
  
  3072:/UgGk8D2CKiH+U3XmE5kDOXkqVDE/zpUp+rqdyy76kgREiwUP7A6qVxWm5iT/Hrq:Ret/X/GDwpELm04B710Ej2qVA8i
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan