tofsee | 90aacf0dcedad342aaf6a68caa80e8a0d64d44612405207e1ca11795236e09d0 | Triage

Sharing

General

Target

dfa8d594788b84c5fab3e2161b4fb320_NeikiAnalytics.exe
Size

231KB
Sample

240527-pnqazsca3t
MD5

dfa8d594788b84c5fab3e2161b4fb320
SHA1

3f6a2f39ae93e5bf4f0677e68d429edfc7889cfe
SHA256

90aacf0dcedad342aaf6a68caa80e8a0d64d44612405207e1ca11795236e09d0
SHA512

c38249eee1ffd1c1b526446f91d632a6e290de819ccd1b6ece429219ab88da94da50d6bcc394e3df17d19cd90643a9c7175f25674b60d7394cb3b6eb5d0fc753
SSDEEP

3072:J+NMi6c8OZi6+bdUtueSK4S+8Ek/rkrVV+TwS31rhduafc+ofzjXvn4ndT9y+Y:tc1JkdmhT11krVV+TZ3jlc+o7jX6dT

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  dfa8d594788b84c5fab3e2161b4fb320_NeikiAnalytics.exe
- Size
  
  231KB
- MD5
  
  dfa8d594788b84c5fab3e2161b4fb320
- SHA1
  
  3f6a2f39ae93e5bf4f0677e68d429edfc7889cfe
- SHA256
  
  90aacf0dcedad342aaf6a68caa80e8a0d64d44612405207e1ca11795236e09d0
- SHA512
  
  c38249eee1ffd1c1b526446f91d632a6e290de819ccd1b6ece429219ab88da94da50d6bcc394e3df17d19cd90643a9c7175f25674b60d7394cb3b6eb5d0fc753
- SSDEEP
  
  3072:J+NMi6c8OZi6+bdUtueSK4S+8Ek/rkrVV+TwS31rhduafc+ofzjXvn4ndT9y+Y:tc1JkdmhT11krVV+TZ3jlc+o7jX6dT
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan