tofsee | 7da7a2f8b2d06754ee5f6e4caf7a21528704ed80a08f0cedf25894d84d3dfb88 | Triage

Sharing

General

Target

4b9cc0ee2d9c9a88d789249ecb86b1ba
Size

10.7MB
Sample

231226-ck1lbsgdf6
MD5

4b9cc0ee2d9c9a88d789249ecb86b1ba
SHA1

64710b02f796d02403901b8cdf1a5ca331f2b037
SHA256

7da7a2f8b2d06754ee5f6e4caf7a21528704ed80a08f0cedf25894d84d3dfb88
SHA512

781b520f96df3f99e5f92a65e4512603b55ab23359c816c453f2200916fff5fdd2d778c3db158ce603166192207b04058313e52a33ed7bf52b688567209e6248
SSDEEP

24576:UjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBX:Unh

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  4b9cc0ee2d9c9a88d789249ecb86b1ba
- Size
  
  10.7MB
- MD5
  
  4b9cc0ee2d9c9a88d789249ecb86b1ba
- SHA1
  
  64710b02f796d02403901b8cdf1a5ca331f2b037
- SHA256
  
  7da7a2f8b2d06754ee5f6e4caf7a21528704ed80a08f0cedf25894d84d3dfb88
- SHA512
  
  781b520f96df3f99e5f92a65e4512603b55ab23359c816c453f2200916fff5fdd2d778c3db158ce603166192207b04058313e52a33ed7bf52b688567209e6248
- SSDEEP
  
  24576:UjDuKnh7YzbKBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBX:Unh
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan