tofsee | 78afae32372bc649e801d37ade3f498f39b86cf5e8adc7917a46d716137e3533 | Triage

Sharing

General

Target

78afae32372bc649e801d37ade3f498f39b86cf5e8adc7917a46d716137e3533
Size

145KB
Sample

240417-qk4vmshb49
MD5

d38890b7e3650eb8b43ddb28f0315978
SHA1

a727a3871f49a0bd0b94482a52efcb092c323cc8
SHA256

78afae32372bc649e801d37ade3f498f39b86cf5e8adc7917a46d716137e3533
SHA512

be333f80e80dfb6372a5d1c70e6d3b760c3a303416743d2800e09ead50c202f5307409cc9ea5350b2f82d1ce43216af1cb98264e694f1eca76ea503085a010d7
SSDEEP

3072:xia7GWczxa+/Xo9enZA5V3d4AMXzZz0P8wnuMo6DtT:4a7GTs+/XweZA53CjZg1U6p

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  9dc0085f64473ca82753f59552bae76c64b5165e72899d727cd18f4d1afbd9d1.exe
- Size
  
  233KB
- MD5
  
  e1fd44ce08b0383dc59e732bb0b1f2d9
- SHA1
  
  70dc0dba88f5b4d02f554627ec8fce32b9237fcc
- SHA256
  
  9dc0085f64473ca82753f59552bae76c64b5165e72899d727cd18f4d1afbd9d1
- SHA512
  
  7db8ae6bbead6c8603fda377b70cf05f793a795ca29cef50a97c6df148c4ecf5677880177016d7e65e51b204bbeed22b07e31f9d021305ea7a350b7130121d0d
- SSDEEP
  
  3072:TcYelBc/ctFykDqPogVwsvhQNW3k1QxCJ18YcRfIBvd4rm5qe4EY3jXO9ZJwVQk:TcdBJ+PojEk1QEJq1FIBv74E2OTF
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan