tofsee | f72ce5819c55791ed13b5aef388b051d8d75f3917f892e92fdad9e94c7ff8658 | Triage

Sharing

General

Target

f72ce5819c55791ed13b5aef388b051d8d75f3917f892e92fdad9e94c7ff8658
Size

151KB
Sample

240417-qtvnbsbc6s
MD5

fac0a6d618d703336ceedbbc7017f94d
SHA1

e0c8593dae121cd33ad11caf0967d8a30d323fc5
SHA256

f72ce5819c55791ed13b5aef388b051d8d75f3917f892e92fdad9e94c7ff8658
SHA512

49481f4f19d2a08f82bb4b4d5f96622c9be138271ad4256c09ff8e65bf7e4f458f9429dba92947f1a8e0293a9af55663fb71eeb6913237f57788886939785385
SSDEEP

3072:WI65UgAHsAlB7ymFP2ol3+91mwHWjm8iMbrNluyZeaE:w5UnHsAH7BF3yVR8XKYeaE

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  bc822ed934731c6843e138a7b5a0f643b6852ee233b0fb861040bd95111d09f5.exe
- Size
  
  239KB
- MD5
  
  a520a1746783fd618b1f805ce48b313f
- SHA1
  
  d66c729c5d5b49c0e02f8f692425a6d4743f58cf
- SHA256
  
  bc822ed934731c6843e138a7b5a0f643b6852ee233b0fb861040bd95111d09f5
- SHA512
  
  04e948f7e1df4856d65e30abfcca3a9ff7417f3e572df32b98d268bd982f87d97fc0a4a955ebe6e75de13d1d0e22132269e4c74124927385010feb00bd34066e
- SSDEEP
  
  6144:IfULzEiwjQjbSnDuWi+Ygh5pUTQYJkge:hXEiwjhn4gh5Wtkv
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan