tofsee | cc4961f20bc142b7f874d38b3b4179a03b428c8348eaa177c57579673ea0624e | Triage

Sharing

General

Target

cc4961f20bc142b7f874d38b3b4179a03b428c8348eaa177c57579673ea0624e
Size

10.0MB
Sample

240506-lba4rafe9t
MD5

19f2564fe3b3636567957a0b29a78ac5
SHA1

f4d8c30d67b9dad6bca7a703bb42578135fc966b
SHA256

cc4961f20bc142b7f874d38b3b4179a03b428c8348eaa177c57579673ea0624e
SHA512

962c4c8bd1966f6e742e60625e326f112fd0eed2d045bab0c3dee92505982e11ef7cc71da2af22251ec580cfc77e50640e47dd7e81082f04973e53aa2d914b83
SSDEEP

6144:rzH/2P/6m1uCQ/RqO+Wy+PqSb0iXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:rT/2P/6m1uCQMO+W1Cx

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  cc4961f20bc142b7f874d38b3b4179a03b428c8348eaa177c57579673ea0624e
- Size
  
  10.0MB
- MD5
  
  19f2564fe3b3636567957a0b29a78ac5
- SHA1
  
  f4d8c30d67b9dad6bca7a703bb42578135fc966b
- SHA256
  
  cc4961f20bc142b7f874d38b3b4179a03b428c8348eaa177c57579673ea0624e
- SHA512
  
  962c4c8bd1966f6e742e60625e326f112fd0eed2d045bab0c3dee92505982e11ef7cc71da2af22251ec580cfc77e50640e47dd7e81082f04973e53aa2d914b83
- SSDEEP
  
  6144:rzH/2P/6m1uCQ/RqO+Wy+PqSb0iXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:rT/2P/6m1uCQMO+W1Cx
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan