tofsee | 379ca83aa9e775151a10c620998e9bbd4a56aa8d447e8d18d9e123eeebb195b0 | Triage

Sharing

General

Target

379ca83aa9e775151a10c620998e9bbd4a56aa8d447e8d18d9e123eeebb195b0
Size

166KB
Sample

240417-qvqqrshg64
MD5

0e9b97c7b9a3aecc97e15c0d6ecbd3a7
SHA1

ca30b3adfd129819012e42dc5360d768c2eeed41
SHA256

379ca83aa9e775151a10c620998e9bbd4a56aa8d447e8d18d9e123eeebb195b0
SHA512

d44bcc3f77096696fab1eb1f98d712672436fd1c5d04b62b4096ce01d7decda5658b935539e3596fe853a632875e21b9b0d42b1a4e7d5d680c4fbce5caa8bdb1
SSDEEP

3072:x3Ai1t5W7coHfH09aJmLzF3KyRAsGH3PhAkqxqYGTjvRzNV73FMjEuKkYTRA8:x3AYmlcEknRWuxqYsvB37FPkYTRA8

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  489f26c346d2ff193ea6802b5c23e2bfa596960d2358d10ca70c60e590f61d3e.exe
- Size
  
  307KB
- MD5
  
  002577e928a32cc049a70cc3dfd32f1a
- SHA1
  
  3260f1f784d1423c622b895cd8df6198c10afef2
- SHA256
  
  489f26c346d2ff193ea6802b5c23e2bfa596960d2358d10ca70c60e590f61d3e
- SHA512
  
  b696003b75d28c5b5004e9ad5f0d6d2d5685eccbb59935d870a222c28a10700281690df42b95ab745aaafa7c0a4987ea52d8b54792e481ba49f8af81fd86ca82
- SSDEEP
  
  3072:TTUp9FKYtnJVHdc+O4vVUfF3vjS2MA7215s6pJUMu63jXdo:U5KWJVHdhftUBbVMA72E6pLjX
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan