tofsee | 69b4acf0e4f2fb04e24c83c233f794ea13b47e096cbbda7030c4208de84b2d69 | Triage

Sharing

General

Target

69b4acf0e4f2fb04e24c83c233f794ea13b47e096cbbda7030c4208de84b2d69
Size

10.9MB
Sample

240529-k8zb6saf22
MD5

d317d5f42247781eb3a91c3ec3e334ab
SHA1

ce9cc42433c12fab5af097adeac7c61317e305aa
SHA256

69b4acf0e4f2fb04e24c83c233f794ea13b47e096cbbda7030c4208de84b2d69
SHA512

dd810a62da01893e76cb36c510fbe52899f2b49e27b673ae99f897ccf27e5fa2b3fd6281461c35dfa743af8ea979415e12c0ffe7a8da3479f91ed7f730f7f0df
SSDEEP

24576:kxtPE2gggggggggggggggggggggggggggggggggggggggggggggggggggggggggg:WtPE

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  69b4acf0e4f2fb04e24c83c233f794ea13b47e096cbbda7030c4208de84b2d69
- Size
  
  10.9MB
- MD5
  
  d317d5f42247781eb3a91c3ec3e334ab
- SHA1
  
  ce9cc42433c12fab5af097adeac7c61317e305aa
- SHA256
  
  69b4acf0e4f2fb04e24c83c233f794ea13b47e096cbbda7030c4208de84b2d69
- SHA512
  
  dd810a62da01893e76cb36c510fbe52899f2b49e27b673ae99f897ccf27e5fa2b3fd6281461c35dfa743af8ea979415e12c0ffe7a8da3479f91ed7f730f7f0df
- SSDEEP
  
  24576:kxtPE2gggggggggggggggggggggggggggggggggggggggggggggggggggggggggg:WtPE
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan