tofsee | 19dd9c0331cc180aa3c5d1b2c7d9b8897274b393c5f36957e10281f3965f9580 | Triage

Sharing

General

Target

cf08ecb08edbc52e65c8f40215d1e631.exe
Size

235KB
Sample

230602-b7kyqahg4y
MD5

cf08ecb08edbc52e65c8f40215d1e631
SHA1

1de7abbfa87a31b694ee92413c83f7a22a55c2f8
SHA256

19dd9c0331cc180aa3c5d1b2c7d9b8897274b393c5f36957e10281f3965f9580
SHA512

2044e021e7d8eed05ca30205eefd65a586fb23c7eb73bd7b5848895ebc49ebe869d103e935c70564ecb0e573bc22cd0d017501934f781254b1bc40b0888327f4
SSDEEP

3072:uXj1yteXDZ65fyY4RxozmJXEoVyROKipzmmpARedR5TPx2qc:2lI6Cz1oAABfARedf0

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  cf08ecb08edbc52e65c8f40215d1e631.exe
- Size
  
  235KB
- MD5
  
  cf08ecb08edbc52e65c8f40215d1e631
- SHA1
  
  1de7abbfa87a31b694ee92413c83f7a22a55c2f8
- SHA256
  
  19dd9c0331cc180aa3c5d1b2c7d9b8897274b393c5f36957e10281f3965f9580
- SHA512
  
  2044e021e7d8eed05ca30205eefd65a586fb23c7eb73bd7b5848895ebc49ebe869d103e935c70564ecb0e573bc22cd0d017501934f781254b1bc40b0888327f4
- SSDEEP
  
  3072:uXj1yteXDZ65fyY4RxozmJXEoVyROKipzmmpARedR5TPx2qc:2lI6Cz1oAABfARedf0
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Privilege Escalation

New Service

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan