tofsee | e2174b13537dc8234e6c932a9120ab6d5eb004dd091857a181ae9eb3df542497 | Triage

Sharing

General

Target

e2174b13537dc8234e6c932a9120ab6d5eb004dd091857a181ae9eb3df542497
Size

11.8MB
Sample

240602-rg2fsafb75
MD5

ade63dc75ea4fa564bf4e22305ed117d
SHA1

7f82f3e44665fc2c7c5700199f12660147d715ac
SHA256

e2174b13537dc8234e6c932a9120ab6d5eb004dd091857a181ae9eb3df542497
SHA512

8fcf2d0bb49fad3c74047339f2c34b5dfffba5646141385715466c09f2dd3dbadefff0c8af2aab16944e6bc19ddaeda079e2c0bc86f1fd1383408e4e26806690
SSDEEP

6144:0mi0ogaXSQeSb79dvDUqpTOZ2mGs2839FLP+oUe5mjXFt0/DAooooooooooooooH:S0oRXSQeE79dvDUqlOUkP9F21pt

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  e2174b13537dc8234e6c932a9120ab6d5eb004dd091857a181ae9eb3df542497
- Size
  
  11.8MB
- MD5
  
  ade63dc75ea4fa564bf4e22305ed117d
- SHA1
  
  7f82f3e44665fc2c7c5700199f12660147d715ac
- SHA256
  
  e2174b13537dc8234e6c932a9120ab6d5eb004dd091857a181ae9eb3df542497
- SHA512
  
  8fcf2d0bb49fad3c74047339f2c34b5dfffba5646141385715466c09f2dd3dbadefff0c8af2aab16944e6bc19ddaeda079e2c0bc86f1fd1383408e4e26806690
- SSDEEP
  
  6144:0mi0ogaXSQeSb79dvDUqpTOZ2mGs2839FLP+oUe5mjXFt0/DAooooooooooooooH:S0oRXSQeE79dvDUqlOUkP9F21pt
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan