tofsee | a99ed3c14714fb287ed5cf8b2ce4494c281077b77f717307140d36e8539edcd0 | Triage

Sharing

General

Target

a99ed3c14714fb287ed5cf8b2ce4494c281077b77f717307140d36e8539edcd0
Size

159KB
Sample

240417-qtp3vabc5v
MD5

f659f7776d579fa21b071a40fab3c806
SHA1

5456403c514e26c536aaa350a52b98e3a8dd5f39
SHA256

a99ed3c14714fb287ed5cf8b2ce4494c281077b77f717307140d36e8539edcd0
SHA512

9b3b02e601ec2e77630b1a8bb3a5f0e59fea5df13ad93598c40133dd6541e462e75877877dcf9f2cfb2e40896480d62041cd1389ca3757134228dd2a090b60e2
SSDEEP

3072:YdxNXdnKabsOB66SARHyX4rzEh1D3HQf1gd6jv/GQwfeQ1+QAK9J//FSquZLhQ:YdxvNbsOB6LARy4/Eh1D3td6jenGQ1+g

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  bf1da149d7e5da9a8a4908039856414e838db0a32129dcad45b6c737ec92d408.exe
- Size
  
  290KB
- MD5
  
  d2bf0c77c70900657d7c919282b90136
- SHA1
  
  dc50e45c6aabad5b672af625f5449a0f50a36116
- SHA256
  
  bf1da149d7e5da9a8a4908039856414e838db0a32129dcad45b6c737ec92d408
- SHA512
  
  aee9a3d7862c25205432c39e61517d2d191a067dc2da79a627c6d228875cf32960d8cbe041d51ed0cf585ffe8b030f30b0e6df49653babb2967c5f4c49febab1
- SSDEEP
  
  6144:j7ol2UY55+0U4C/yHwyHkXdfLhBbjLp6:j80+0U4C6GXLBbI
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan