tofsee | 2c8b3688a091e5e4e73e451122e85f0e552e7721c1963208031a03574bd97429 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

5bbbb8d6a54d686b060d239a323c2127
Size

12.4MB
Sample

240115-bgrzcafdc4
MD5

5bbbb8d6a54d686b060d239a323c2127
SHA1

8ca22413afbeadfe1a03304441819f002734088c
SHA256

2c8b3688a091e5e4e73e451122e85f0e552e7721c1963208031a03574bd97429
SHA512

cf1c83e5cee760eb2cf495ba4460ce2b4c2fb451c328652aafbea93e15a208bb30219fcc0992206608e4a35c7eb42ccd138e6c4e965956f9ab2f11b8ad8a27d4
SSDEEP

49152:DHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHn:

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.6

lazystax.ru

Targets

- Target
  
  5bbbb8d6a54d686b060d239a323c2127
- Size
  
  12.4MB
- MD5
  
  5bbbb8d6a54d686b060d239a323c2127
- SHA1
  
  8ca22413afbeadfe1a03304441819f002734088c
- SHA256
  
  2c8b3688a091e5e4e73e451122e85f0e552e7721c1963208031a03574bd97429
- SHA512
  
  cf1c83e5cee760eb2cf495ba4460ce2b4c2fb451c328652aafbea93e15a208bb30219fcc0992206608e4a35c7eb42ccd138e6c4e965956f9ab2f11b8ad8a27d4
- SSDEEP
  
  49152:DHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHn:
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan