tofsee | a4b9b97b2992feafb61da9a537dc82e6740e9cd5ac8d1a5d3d66eee04bdb29af | Triage

Sharing

General

Target

a4b9b97b2992feafb61da9a537dc82e6740e9cd5ac8d1a5d3d66eee04bdb29af
Size

98KB
Sample

240417-p7hp9ahf9z
MD5

140b13ac418330943b083ce574867010
SHA1

c42795b9739da42f063b6d9c979f545eade2742c
SHA256

a4b9b97b2992feafb61da9a537dc82e6740e9cd5ac8d1a5d3d66eee04bdb29af
SHA512

cc17124fa5bad886f1a5be77195b62a62e937e39d8bfc3ce3b127848e4755c04a404ec21ddfbf204377728dd88cda46ad4141272c042badc761a35ec02d4234c
SSDEEP

3072:Qd6Hw/RH+ALmvefjrp153rrzvbIdI1YEH5wBrEe:s7NLmgrF/zTIdI1H6

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  6fb0201dac82a2b6f3c409d74005eb50aab93abd7508f513636be051db86eefd.exe
- Size
  
  170KB
- MD5
  
  f5fd4237e550503a8eab51ae35f147b6
- SHA1
  
  869d44d58fb734b3692500dae1f42f0d6e3b3434
- SHA256
  
  6fb0201dac82a2b6f3c409d74005eb50aab93abd7508f513636be051db86eefd
- SHA512
  
  32327ca44e09d46ba8e656124f7480979b3eeb3769a94259d536a5223b2c532bd21654d8b4551d26265903f5c2be87a8da73d4571eee6fd9bfc887ea9e88350f
- SSDEEP
  
  1536:Js5KSNeteSXSI4nZ7OyP8p7+C1xIhQ6M3dfUMJn325pDedDT50ZXXKVXRKX:e5ScSHCO1p7hiO4AI1edHK56lR
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan