tofsee | d5331435ba6b848a67c87400e8d3633452759da265c44a4a1a0a04dadb7e77fe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2024061579927f9388a4e69b8342bdaf0dcf9650mafia.exe
Size

14.3MB
Sample

240615-z336havbnf
MD5

79927f9388a4e69b8342bdaf0dcf9650
SHA1

8c9bcc03907be5c78d30cd6822c0f4e2610a6ecc
SHA256

d5331435ba6b848a67c87400e8d3633452759da265c44a4a1a0a04dadb7e77fe
SHA512

1ff2205055eb8156ee27e21e6392c2000638e2dac87223903db64b16891a2e7f6a2cd0d86f450199634a9a355897c348efe96c5f5bc4662ded3ad29853b0aaa6
SSDEEP

6144:u+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:u+r1IeSXMXc7LlxWV4Ug97GZ+ej

Score

10^/10

tofsee evasion execution persistence trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2024061579927f9388a4e69b8342bdaf0dcf9650mafia.exe
- Size
  
  14.3MB
- MD5
  
  79927f9388a4e69b8342bdaf0dcf9650
- SHA1
  
  8c9bcc03907be5c78d30cd6822c0f4e2610a6ecc
- SHA256
  
  d5331435ba6b848a67c87400e8d3633452759da265c44a4a1a0a04dadb7e77fe
- SHA512
  
  1ff2205055eb8156ee27e21e6392c2000638e2dac87223903db64b16891a2e7f6a2cd0d86f450199634a9a355897c348efe96c5f5bc4662ded3ad29853b0aaa6
- SSDEEP
  
  6144:u+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:u+r1IeSXMXc7LlxWV4Ug97GZ+ej
Score

10^/10

tofsee evasion execution persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistencetrojan

behavioral2

tofseeevasionexecutionpersistencetrojan