tofsee | 5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd | Triage

Sharing

General

Target

5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd.exe
Size

290KB
Sample

240615-bxsktayapr
MD5

985584f5b7be5d605c1264624f4bd68e
SHA1

8efbf3680021b3fb3b68094ee5296dcabb5abc1a
SHA256

5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd
SHA512

e6c582d168f066c031161b8b098114edd95f5fde5c70eb1e8150fb44fd3520a4be7e9e71195c3c58078d7b9802e053ffa3e452a87965eb9e6a0ac580ccd8e34b
SSDEEP

3072:NNnq5gpiR+cS7kBapQOm47e6rGyQqKCHRsJFULJtkSUyHbmcnTVaz42JVOrTKYj:rq5gN70xee6treFD7y7mcnTVaBJVOrT

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd.exe
- Size
  
  290KB
- MD5
  
  985584f5b7be5d605c1264624f4bd68e
- SHA1
  
  8efbf3680021b3fb3b68094ee5296dcabb5abc1a
- SHA256
  
  5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd
- SHA512
  
  e6c582d168f066c031161b8b098114edd95f5fde5c70eb1e8150fb44fd3520a4be7e9e71195c3c58078d7b9802e053ffa3e452a87965eb9e6a0ac580ccd8e34b
- SSDEEP
  
  3072:NNnq5gpiR+cS7kBapQOm47e6rGyQqKCHRsJFULJtkSUyHbmcnTVaz42JVOrTKYj:rq5gN70xee6treFD7y7mcnTVaBJVOrT
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan