tofsee | 81595867fd9d0b95045a5afe848f34a8cb7d1b6064dd955cf2d7d16420ffa77c | Triage

Sharing

General

Target

81595867fd9d0b95045a5afe848f34a8cb7d1b6064dd955cf2d7d16420ffa77c
Size

127KB
Sample

240417-rjzd7sbd32
MD5

7ab264c45442cd46e087281712964a99
SHA1

f7c0f539e62ebca4162a5b3192f236aaf0544bc3
SHA256

81595867fd9d0b95045a5afe848f34a8cb7d1b6064dd955cf2d7d16420ffa77c
SHA512

f1dbf79a8a5f67cfee6fc5664209e29582024caa622c2b64fd47faeb2f5dcb978974df7a1f69ce95bb459b067ff0bbbf72de02d5086deb648dac223085a2b4a4
SSDEEP

3072:NFOAOuA2k/CXKIeyivcWB6k0dB9XPhJ+3Y4vbjSTgAPJS:NF8H2kqXKIfiUWONXZ14vf2P0

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  755b1b45c26d282f094d504074bbdf897f6460968db67dd7d88a4702e03ef7f9.exe
- Size
  
  203KB
- MD5
  
  d88f7c78b3be6c96c33b80a8e1bb85de
- SHA1
  
  ce07fb26b0ec69cdf563f98560aa4f7f298e6e8d
- SHA256
  
  755b1b45c26d282f094d504074bbdf897f6460968db67dd7d88a4702e03ef7f9
- SHA512
  
  1c396a26da383d01ddc317bc4c565c5825b0e452bcf262ac849cd720acb6cb7abcc08e895041e59246dd7686e72424990728745716815a5879bce30769e3e898
- SSDEEP
  
  3072:Ef3B/ALaZdXUNc8iirJiM21K7uSbrF068c0E0rBNWRDxlH+cmH:Ef32clVO598c0EHxQco
Score

10^/10

tofsee evasion persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan