tofsee | 745bdfaca538f8ebb08584488dd61e2247e1588ad35f7f613a75194913efeac9 | Triage

Sharing

General

Target

745bdfaca538f8ebb08584488dd61e2247e1588ad35f7f613a75194913efeac9_NeikiAnalytics.exe
Size

101KB
Sample

240626-k8cs6sxdpg
MD5

8492363d0e0816032359dad26695b3d0
SHA1

302a9f2dd85e1b5341f4c631e0157550f7ddfe76
SHA256

745bdfaca538f8ebb08584488dd61e2247e1588ad35f7f613a75194913efeac9
SHA512

386ee8d62ecf7cc5d750c8860b26512d3bc07786215c88dec5c9ac6aa9028d1985dea1bbc740da089366b8cdd51f5d6d1562ff3977854353e528b164a60ec004
SSDEEP

1536:tktR15HzEFMoW0hO2tPsdV08NCiQ1fRO+FFCDoWf2vwxyLAPSHPwEDroGB9nE:mt354HWghsw1ZJrqfzxyGuoE/oG

Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  745bdfaca538f8ebb08584488dd61e2247e1588ad35f7f613a75194913efeac9_NeikiAnalytics.exe
- Size
  
  101KB
- MD5
  
  8492363d0e0816032359dad26695b3d0
- SHA1
  
  302a9f2dd85e1b5341f4c631e0157550f7ddfe76
- SHA256
  
  745bdfaca538f8ebb08584488dd61e2247e1588ad35f7f613a75194913efeac9
- SHA512
  
  386ee8d62ecf7cc5d750c8860b26512d3bc07786215c88dec5c9ac6aa9028d1985dea1bbc740da089366b8cdd51f5d6d1562ff3977854353e528b164a60ec004
- SSDEEP
  
  1536:tktR15HzEFMoW0hO2tPsdV08NCiQ1fRO+FFCDoWf2vwxyLAPSHPwEDroGB9nE:mt354HWghsw1ZJrqfzxyGuoE/oG
Score

10^/10

tofsee evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseeevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseeevasionexecutionpersistenceprivilege_escalationtrojan