tofsee | 521b9e073450bc71db578e7eeee61b78ef3790bf62b2b332f966ec6ab8ef1860 | Triage

Sharing

General

Target

521b9e073450bc71db578e7eeee61b78ef3790bf62b2b332f966ec6ab8ef1860
Size

127KB
Sample

240417-qs5f5sbc2x
MD5

8b9fae8cc71ae7d657cd678d9445023f
SHA1

630c54c95e20f5f45445661f2e18c47c4b2d2479
SHA256

521b9e073450bc71db578e7eeee61b78ef3790bf62b2b332f966ec6ab8ef1860
SHA512

aa571442fc352dcbc73e2a4eba79c91eeafd42d5dfa1e50c635b49c221eb985b7f1e15cb1fded55d8877806a075a774db17305911d05676fdac579fb84d9f218
SSDEEP

3072:+//7YB5+JwfoEMzi/G0kMlGsNif+K+vEaE0P1YUT:y7DJJ0kBZ7+MatP1YUT

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  c9ba75c3c2b17dd64211ae2d9859ced46f797f4f25d867c63c813462a857b524.exe
- Size
  
  203KB
- MD5
  
  90d047019c018e2188352f9aeee97192
- SHA1
  
  e0d7eee14e19ddb119760d4e15e387f285d82076
- SHA256
  
  c9ba75c3c2b17dd64211ae2d9859ced46f797f4f25d867c63c813462a857b524
- SHA512
  
  4aa2fa4f364a398cb763cbd317ea91dbac17e9e5ed44e5ebe09ba16e62cedb588d98ad807adb84127b00c757bcfef31f229aed5294a71ce682ef494da558b5a7
- SSDEEP
  
  3072:DkIfnM3Jq/AmlEkJiAj1K/2sv1p6Ti/ZVqJnctmLoQCCRLQ+cmk:DkIzXlEh5VqKtm8CXcL
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan