tofsee | c15e980992dd745dee1a63cbddea26a39eec4083cb32a7448cb7e77eff551446 | Triage

Sharing

General

Target

41e8d0cd880e3fcfa4e916dc16e569ed
Size

14.2MB
Sample

240104-zwm6pscda3
MD5

41e8d0cd880e3fcfa4e916dc16e569ed
SHA1

4201e77562330c33d6eeaee47a28c920c9a0c8a7
SHA256

c15e980992dd745dee1a63cbddea26a39eec4083cb32a7448cb7e77eff551446
SHA512

62f11c495a5341ba1360929087a0f0f2307bfcdf5088192a6e80f6f184b1fb50b18605c5837b3b1268f8efb07a5f106bc5f31d5226a95e76d5a8feb4dd8e7f8f
SSDEEP

24576:5ATa7/2ggggggggggggggggggggggggggggggggggggggggggggggggggggggggH:5A27

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

176.111.174.19

defeatwax.ru

Targets

- Target
  
  41e8d0cd880e3fcfa4e916dc16e569ed
- Size
  
  14.2MB
- MD5
  
  41e8d0cd880e3fcfa4e916dc16e569ed
- SHA1
  
  4201e77562330c33d6eeaee47a28c920c9a0c8a7
- SHA256
  
  c15e980992dd745dee1a63cbddea26a39eec4083cb32a7448cb7e77eff551446
- SHA512
  
  62f11c495a5341ba1360929087a0f0f2307bfcdf5088192a6e80f6f184b1fb50b18605c5837b3b1268f8efb07a5f106bc5f31d5226a95e76d5a8feb4dd8e7f8f
- SSDEEP
  
  24576:5ATa7/2ggggggggggggggggggggggggggggggggggggggggggggggggggggggggH:5A27
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan