tofsee | 270fe63181b51aa1075fe596fc05154fd26b0f90968a4c24185adce01287b5c7 | Triage

Sharing

General

Target

270fe63181b51aa1075fe596fc05154fd26b0f90968a4c24185adce01287b5c7
Size

145KB
Sample

240417-qv6f8abd4w
MD5

349c2581b86901db05c226cbd7a48b19
SHA1

7f31520857da538449b95843f75ae0df3be53f8c
SHA256

270fe63181b51aa1075fe596fc05154fd26b0f90968a4c24185adce01287b5c7
SHA512

1fd331a6ae904232669a7d949bff1be79abce6d78cde6d64a7ba3094a2a5d05f13047cbd9d648a5da49551e7c6561b89874eef61bf3b8c88aef216b02ab46d67
SSDEEP

3072:45pzmEAcgPIuBiW/HI7W5jeaNgFeWW4iOhbURmN:47NAcgSESaWtRtN

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  04ec244112b44e9592f9c5e45ab50e67e402f0704d8121678afe46117de90482.exe
- Size
  
  233KB
- MD5
  
  f81a2c93c44bfec11cdd55eb53dde5df
- SHA1
  
  45cb3d7066113e86fff081e309265a797af0ef51
- SHA256
  
  04ec244112b44e9592f9c5e45ab50e67e402f0704d8121678afe46117de90482
- SHA512
  
  c9fc2a6239235aa0bf24e700665666c8500000bcc76dc8e26922f8cfc0f961949bf7fa04bf9877ea3254b9a5879752d1b3f75d945318c246770b507bc0b0199e
- SSDEEP
  
  3072:LefNGJ/ceeYkb2BNog9oADOF4t0wC0NnpXIpKjVEqLDOO7n+MnIitmjXO9ZJwVQk:Le1GM+NobFm0wC0NpYpuVEqSFOTF
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan