tofsee | 7d0023a2f443b8eb33c6ee168a1fc616fe529df117f92061b0e8760eddf7a555 | Triage

Sharing

General

Target

2024-06-19_818b963dce1ce4708eda0e2859641b7d_mafia
Size

14.1MB
Sample

240619-y4l3yazdmg
MD5

818b963dce1ce4708eda0e2859641b7d
SHA1

6da48a7e8690202a37725013f3ac254d5947ef20
SHA256

7d0023a2f443b8eb33c6ee168a1fc616fe529df117f92061b0e8760eddf7a555
SHA512

8e46be9f4a3e06f3f52684fc0a14ab427696f0a7addb2ae94cb9bc71bf1f79bafd03f8d6d5f8e9bb3fcdfabf69419ad27657ca5976c56d42ea3e82aba0eb3a64
SSDEEP

6144:J+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:J+r1IeSXMXc7LlxWV4Ug97GZ+ej

Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2024-06-19_818b963dce1ce4708eda0e2859641b7d_mafia
- Size
  
  14.1MB
- MD5
  
  818b963dce1ce4708eda0e2859641b7d
- SHA1
  
  6da48a7e8690202a37725013f3ac254d5947ef20
- SHA256
  
  7d0023a2f443b8eb33c6ee168a1fc616fe529df117f92061b0e8760eddf7a555
- SHA512
  
  8e46be9f4a3e06f3f52684fc0a14ab427696f0a7addb2ae94cb9bc71bf1f79bafd03f8d6d5f8e9bb3fcdfabf69419ad27657ca5976c56d42ea3e82aba0eb3a64
- SSDEEP
  
  6144:J+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:J+r1IeSXMXc7LlxWV4Ug97GZ+ej
Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseeevasionexecutionpersistenceprivilege_escalationtrojan