tofsee | 01b700c27977b6b8ae19cbe35d53dd3e16cb800a09db0fa262027a2d6f561d23 | Triage

Sharing

General

Target

01b700c27977b6b8ae19cbe35d53dd3e16cb800a09db0fa262027a2d6f561d23
Size

4.2MB
Sample

240905-gg93taveph
MD5

5d12e495326a28cb3af7ef6a9af26c4c
SHA1

f4b1421aa75f5e7d021c64ebe713d8a0c801ed57
SHA256

01b700c27977b6b8ae19cbe35d53dd3e16cb800a09db0fa262027a2d6f561d23
SHA512

057a6c7818780165e4c67364ad5caab17ac0d1c6ffe47ebd1f60df242f66e2a6263eff9ca23bd4e75a2eb7172d9b7ea838a4ea69aab2aaaf9a4ee141adde1561
SSDEEP

98304:4y4vCrzRB48En5uisTROpEzhVe0ym+dfzV9K3u4ZV6YQP8O3ORqfnWF:/XrzRBjukxTsEC8+dfzVs+5YS8Xq/S

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  b84685b177c7bbd6e54c0cd81f5ac41c02e2c77a400b71a830636f93a686eaaf.exe
- Size
  
  11.6MB
- MD5
  
  fed6d9f141d4ac6b3388a2c90722bd62
- SHA1
  
  3480f699c94d4a520c8d92dfd2f6c84d5bd9668b
- SHA256
  
  b84685b177c7bbd6e54c0cd81f5ac41c02e2c77a400b71a830636f93a686eaaf
- SHA512
  
  f678216084e177bc51879d697f6e4201449874ed1c6f4c41fc1cb62aecf8ed5c3ab17784c1d30c481ee99c727fe0a29cd2854bdcaf554b3da425d59b5e957719
- SSDEEP
  
  6144:rc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:r1OZDisvwdaxO0PuG1R4CWs
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan