tofsee | 8eb33da353d3756d8cd4cb9308fd5ef72a9b35441bec41fd17c3f3ee508ea9ab | Triage

Sharing

General

Target

cc3ac85b3c5690d542ed9f3266b9bd83.exe
Size

204KB
Sample

240521-c5a66sfe8v
MD5

cc3ac85b3c5690d542ed9f3266b9bd83
SHA1

af14f36d9412a1c79453a622a5ad343cc01ca6f7
SHA256

8eb33da353d3756d8cd4cb9308fd5ef72a9b35441bec41fd17c3f3ee508ea9ab
SHA512

f250d0f37cd513dd6e647355bd1940d7210093eb27a1bf2d6dbe6ef8673af731c7dccef24c9948a36ac4e06a18803c9082fb7db7ba59a5ecbf94d064981c6a74
SSDEEP

3072:hpBsWcSkjvEOx+ss6IR15t471Z6/MJlJnmd772g+iBGLYS:h87S4PIj54brGj+i6Y

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  cc3ac85b3c5690d542ed9f3266b9bd83.exe
- Size
  
  204KB
- MD5
  
  cc3ac85b3c5690d542ed9f3266b9bd83
- SHA1
  
  af14f36d9412a1c79453a622a5ad343cc01ca6f7
- SHA256
  
  8eb33da353d3756d8cd4cb9308fd5ef72a9b35441bec41fd17c3f3ee508ea9ab
- SHA512
  
  f250d0f37cd513dd6e647355bd1940d7210093eb27a1bf2d6dbe6ef8673af731c7dccef24c9948a36ac4e06a18803c9082fb7db7ba59a5ecbf94d064981c6a74
- SSDEEP
  
  3072:hpBsWcSkjvEOx+ss6IR15t471Z6/MJlJnmd772g+iBGLYS:h87S4PIj54brGj+i6Y
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan