tofsee | 84b2d95a886d34c5490009bb1c5a1cec1279f2d786de2093b65ab100793a7af1 | Triage

Sharing

General

Target

84b2d95a886d34c5490009bb1c5a1cec1279f2d786de2093b65ab100793a7af1
Size

130KB
Sample

240908-b41vrszdqg
MD5

9a617a1cf598f0b5c7c3c8801fd7c297
SHA1

63cdf61e8a992d042f3f4ea34681cb9464aadf59
SHA256

84b2d95a886d34c5490009bb1c5a1cec1279f2d786de2093b65ab100793a7af1
SHA512

3745e0a4b9d6e3d1bcb2ae7a22a9cb621ab41ee4345554ff03e922b776715d4398291a179e65b45d4a38fad4b885d470a6a624ae8d7fb23dddf5e5fcefb4da14
SSDEEP

3072:AP81fiN6+wBCwCFKkHINvuBNPLy+MPj/o1+Z:APr6+wBCwC2cHUrg1+Z

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  c55859f35ad07e3e4b13f45fa5fa4c788f7059daac930ea435600a936104c1b5.exe
- Size
  
  213KB
- MD5
  
  8e456f932787fcd0cadbb598174575b2
- SHA1
  
  22b069c76b86bdb6be8cdafc78019b55c583062e
- SHA256
  
  c55859f35ad07e3e4b13f45fa5fa4c788f7059daac930ea435600a936104c1b5
- SHA512
  
  cb26a33dacdcfe804bdd587ecd44b9bf1c59f357e8701fc4f5e1b04d8d8882466c7743fac51969fe8912e1197a5653986eb4a71edc35eee89051b6c98d546c9d
- SSDEEP
  
  6144:MGDLD6Tj3Vyg0mwiRjaVlodEFjvn/Mq0Vdh1HQ:M+L2n3VygtzRWJjv+Vdz
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan