tofsee | 74f055ccb9d657d623b62d41f22317c883d22e2cf4496b54d0d6ba5d1358d426 | Triage

Sharing

General

Target

74f055ccb9d657d623b62d41f22317c883d22e2cf4496b54d0d6ba5d1358d426
Size

123KB
Sample

240911-pzphts1cmk
MD5

43728e6202b0927bd2602752361c7e28
SHA1

9b82e1014407ce5ddbf8ba836112aeeb05e87d93
SHA256

74f055ccb9d657d623b62d41f22317c883d22e2cf4496b54d0d6ba5d1358d426
SHA512

c1838e650b78cb21a3426ee01f1f96df70e2b5832ed6b32429afff0485c6832c0f7085cde4df4f4c81297789d7805b55a8550f6f9aa0541762c57fb4c3ea7e7c
SSDEEP

3072:xCwN+NDnpUvjV7oKo7z3qDTCoOrDGCm46US:wrNDpUrVXo7z++Qd/US

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  50755e3eb1a407ef762cf957b272b483b314e911712c9e177b377efc8b1b5ea8
- Size
  
  13.2MB
- MD5
  
  5c22dd0023f2924fd7804a0ddbf7ae78
- SHA1
  
  280c5a888f5e30d0858b809611c47308b4e8bab4
- SHA256
  
  50755e3eb1a407ef762cf957b272b483b314e911712c9e177b377efc8b1b5ea8
- SHA512
  
  437e049e5ba7477b857b57f56f038f1f7d33e9edc78a5ac853eec6604aabe1eea801e45d4b9655aac230e5885a3a1e920d1b2d6409a215934f2768d0e167e254
- SSDEEP
  
  6144:UDVCynACXF+pI0zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzP:k8vmF+p
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan