tofsee | 71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451 | Triage

Sharing

General

Target

71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451.exe
Size

2.0MB
Sample

240505-bj59rahg7y
MD5

b5829ea81cde8f48ba1190e20e6bb15d
SHA1

51fbb15275360bbf2a866f339045527e941e1a85
SHA256

71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451
SHA512

d84e43e6cf342d0e7696be6b1cbcf42dce5d1efe518f4949faa8841ee398a25a63a6e41440eb10ba0d276454ba73752c9ffb17eddbfd0813a636646663e26b4a
SSDEEP

49152:aaXI0V7PoU9lHrHmvtiLGMIqCGLhRSCquJnm:3Y0V7gU9l2tiLGVGLhRvquJnm

Score

10^/10

tofsee zgrat evasion execution persistence rat spyware trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451.exe
- Size
  
  2.0MB
- MD5
  
  b5829ea81cde8f48ba1190e20e6bb15d
- SHA1
  
  51fbb15275360bbf2a866f339045527e941e1a85
- SHA256
  
  71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451
- SHA512
  
  d84e43e6cf342d0e7696be6b1cbcf42dce5d1efe518f4949faa8841ee398a25a63a6e41440eb10ba0d276454ba73752c9ffb17eddbfd0813a636646663e26b4a
- SSDEEP
  
  49152:aaXI0V7PoU9lHrHmvtiLGMIqCGLhRSCquJnm:3Y0V7gU9l2tiLGVGLhRvquJnm
Score

10^/10

tofsee zgrat evasion execution persistence rat spyware trojan
- Detect ZGRat V1
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseezgratevasionexecutionpersistenceratspywaretrojan

behavioral2

tofseezgratevasionexecutionpersistenceratspywaretrojan