tofsee | 899aa9dd6997669142d99322dc8151ca0bad52758a3a6680affd28447e3ca2e9 | Triage

Sharing

General

Target

82c2359d34d3963f1254fe66fd531487.bin
Size

14.8MB
Sample

240623-cy7a2awfkg
MD5

82c2359d34d3963f1254fe66fd531487
SHA1

9881acf4de4b213f1500bc6627858257e4bbd190
SHA256

899aa9dd6997669142d99322dc8151ca0bad52758a3a6680affd28447e3ca2e9
SHA512

f98500b7f3de7e2577454c23e14eff00feb0c434ac1bc544da6e2d67d5d4ffd53d6e0d180685358ecd187ae1a1b7c5e04dedac90f844607fca0314edfc122a26
SSDEEP

6144:v+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:v+r1IeSXMXc7LlxWV4Ug97GZ+ej

Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  82c2359d34d3963f1254fe66fd531487.bin
- Size
  
  14.8MB
- MD5
  
  82c2359d34d3963f1254fe66fd531487
- SHA1
  
  9881acf4de4b213f1500bc6627858257e4bbd190
- SHA256
  
  899aa9dd6997669142d99322dc8151ca0bad52758a3a6680affd28447e3ca2e9
- SHA512
  
  f98500b7f3de7e2577454c23e14eff00feb0c434ac1bc544da6e2d67d5d4ffd53d6e0d180685358ecd187ae1a1b7c5e04dedac90f844607fca0314edfc122a26
- SSDEEP
  
  6144:v+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:v+r1IeSXMXc7LlxWV4Ug97GZ+ej
Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseeevasionexecutionpersistenceprivilege_escalationtrojan