tofsee

General

Target

style-scope_yt-formatted-string__Roblox_Swordbu.rar
Size

3.0MB
Sample

240507-twy1bagh79
MD5

72adf6282d82effa1ac333db997cb300
SHA1

85bbc661eeb765afb0e12bbb3d0011dbc4cf6154
SHA256

68e34570cef8230d98bfadb2ad0fa1cc56631dd25212c23759d003a93faff3de
SHA512

9bc297c9c63ad11409766e1a3e2d36becfa7d074ba40856ce87366eee94acf76a49afb264cd8c630bf2de59b8c69484c81a621b571caadfd714ff55156c3753f
SSDEEP

98304:dV7pG7KmRGdaREwtcEVq/UBORWYxriEHM:dkKmD/38/U

Score

10^/10

Malware Config

Targets

- Target
  
  setup.exe
- Size
  
  721.0MB
- MD5
  
  646f798c1a5eb86782cbbf04cba11e05
- SHA1
  
  bd0cb120ac3b85bd1e9dbc72e4a31efe31a92cfb
- SHA256
  
  1fe61c0e579f78c18d549c561581ab83cc6927ac18666b96e20f9bb3588ab72e
- SHA512
  
  0bea0e8314c44d3dd92aac98ea179b5d32e05d7bdc430a1baf46138de728ecc724baba5fc50ee0261f7023a511ecac8c4add73bd45783f10bba9512eb9b3b1d6
- SSDEEP
  
  49152:aWz0ly6XPtviJZlYcUCSWn59QZbuNhCNy5HFFeop4W4H7khMf2jTujMMa:rzT6w3YcVDn5Mu+Ny5+Bkh1wM
Score

10^/10

tofsee discovery evasion execution persistence spyware stealer themida trojan upx
- Modifies firewall policy service
  evasion
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies boot configuration data using bcdedit
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2