tofsee | adebf698ce7862226c1794aafa272bc8bdd8363ccfb2ed52964912f89f79e61e | Triage

Sharing

General

Target

2024-06-19_98fa720e04828c3150ee35c8cb30f403_mafia
Size

14.6MB
Sample

240619-y8wg6szfmf
MD5

98fa720e04828c3150ee35c8cb30f403
SHA1

d5b7405bd6d33d41b06f12dc8c15dc6abe65db4a
SHA256

adebf698ce7862226c1794aafa272bc8bdd8363ccfb2ed52964912f89f79e61e
SHA512

f0d572dac42f07c94debb447ff084e523dc9e7e7d597ad789f87d0459193db6d3d1e7c20b4afb072ca7bbd54d090524e625ba5f69e30f64ed610699804c3a3b8
SSDEEP

6144:2+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:2+r1IeSXMXc7LlxWV4Ug97GZ+ej

Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2024-06-19_98fa720e04828c3150ee35c8cb30f403_mafia
- Size
  
  14.6MB
- MD5
  
  98fa720e04828c3150ee35c8cb30f403
- SHA1
  
  d5b7405bd6d33d41b06f12dc8c15dc6abe65db4a
- SHA256
  
  adebf698ce7862226c1794aafa272bc8bdd8363ccfb2ed52964912f89f79e61e
- SHA512
  
  f0d572dac42f07c94debb447ff084e523dc9e7e7d597ad789f87d0459193db6d3d1e7c20b4afb072ca7bbd54d090524e625ba5f69e30f64ed610699804c3a3b8
- SSDEEP
  
  6144:2+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:2+r1IeSXMXc7LlxWV4Ug97GZ+ej
Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseeevasionexecutionpersistenceprivilege_escalationtrojan