tofsee | 6d3fa2316c29890ab6313e6267ca90fdc1c7d92dd1e707cb77b74a7985150c1f | Triage

Sharing

General

Target

6d3fa2316c29890ab6313e6267ca90fdc1c7d92dd1e707cb77b74a7985150c1f
Size

10.3MB
Sample

240506-j7bdaahc52
MD5

feffbd9fa3b21798d4c34b42abf86ce0
SHA1

4a1979cb0232a525c4801e4789dc7538abcb82a0
SHA256

6d3fa2316c29890ab6313e6267ca90fdc1c7d92dd1e707cb77b74a7985150c1f
SHA512

51ec270aee48f5f38647c89a5b9a0488f82f4f2841ee8b10db77109e696c0152dc89efa4f63cd266e64908d2bd67843cd024d7e1b97338a767bb08ce7e73dbb0
SSDEEP

12288:j9GPViFkls15KJ4ClhxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxP:CiugC

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  6d3fa2316c29890ab6313e6267ca90fdc1c7d92dd1e707cb77b74a7985150c1f
- Size
  
  10.3MB
- MD5
  
  feffbd9fa3b21798d4c34b42abf86ce0
- SHA1
  
  4a1979cb0232a525c4801e4789dc7538abcb82a0
- SHA256
  
  6d3fa2316c29890ab6313e6267ca90fdc1c7d92dd1e707cb77b74a7985150c1f
- SHA512
  
  51ec270aee48f5f38647c89a5b9a0488f82f4f2841ee8b10db77109e696c0152dc89efa4f63cd266e64908d2bd67843cd024d7e1b97338a767bb08ce7e73dbb0
- SSDEEP
  
  12288:j9GPViFkls15KJ4ClhxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxP:CiugC
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan