tofsee | 0feb3db1f329e0a0a248026b03df0bc76f462d51d13ff1ddd0069d189c3cd7e8 | Triage

Sharing

General

Target

2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia
Size

12.2MB
Sample

240530-3bdcjseg46
MD5

d5163a500b24c2d07720cb4019dd3923
SHA1

fc869db383392a90e85191049766eeb046767c10
SHA256

0feb3db1f329e0a0a248026b03df0bc76f462d51d13ff1ddd0069d189c3cd7e8
SHA512

98288e9c075089c90931e65ae8818aa033e6b3957dd445778e991a0ab6b7abc1ac498fa308cb257878300ff406dc8818937c6a28c95283a3cea36087969a1c85
SSDEEP

6144:JqXbY+SAjhUEzmPy0jhM7o8cMp/sP9gdiw1fagj1x2Eqqqqqqqqqqqqqqqqqqqqv:JqLY+4oAfj2o8X/U9gdjj

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2024-05-30_d5163a500b24c2d07720cb4019dd3923_mafia
- Size
  
  12.2MB
- MD5
  
  d5163a500b24c2d07720cb4019dd3923
- SHA1
  
  fc869db383392a90e85191049766eeb046767c10
- SHA256
  
  0feb3db1f329e0a0a248026b03df0bc76f462d51d13ff1ddd0069d189c3cd7e8
- SHA512
  
  98288e9c075089c90931e65ae8818aa033e6b3957dd445778e991a0ab6b7abc1ac498fa308cb257878300ff406dc8818937c6a28c95283a3cea36087969a1c85
- SSDEEP
  
  6144:JqXbY+SAjhUEzmPy0jhM7o8cMp/sP9gdiw1fagj1x2Eqqqqqqqqqqqqqqqqqqqqv:JqLY+4oAfj2o8X/U9gdjj
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan