tofsee | 99a3f13c5a445eed6c7430d63a8865bf79d29635900e9fac1d9a2d24db1c2df8 | Triage

Sharing

General

Target

99a3f13c5a445eed6c7430d63a8865bf79d29635900e9fac1d9a2d24db1c2df8
Size

10.2MB
Sample

241004-x32lkawemg
MD5

0f729848b7866ea716612093fa2440ba
SHA1

2678bfe618cc4ef9a7badd7ca789c805215cb2b9
SHA256

99a3f13c5a445eed6c7430d63a8865bf79d29635900e9fac1d9a2d24db1c2df8
SHA512

56d3fba9f75645c105c3b78d5b6fb4a721aaabcda4521738caf1d6f2df144f418c5ed71f5f2ffbd4bfba4f368f884bf4bca1e273859f50a0868e479443845b79
SSDEEP

1536:PpUJsMq8nDNrnUtvDqJ55fNBVcmiCxmeZUUfOxxjDRvgdi0/z/jHNq8wR4vyKT:/6nlnZX17rpLfOz3t8FLti4v

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

103.248.137.133

59.188.74.26

115.230.124.76

111.121.193.242

Targets

- Target
  
  99a3f13c5a445eed6c7430d63a8865bf79d29635900e9fac1d9a2d24db1c2df8
- Size
  
  10.2MB
- MD5
  
  0f729848b7866ea716612093fa2440ba
- SHA1
  
  2678bfe618cc4ef9a7badd7ca789c805215cb2b9
- SHA256
  
  99a3f13c5a445eed6c7430d63a8865bf79d29635900e9fac1d9a2d24db1c2df8
- SHA512
  
  56d3fba9f75645c105c3b78d5b6fb4a721aaabcda4521738caf1d6f2df144f418c5ed71f5f2ffbd4bfba4f368f884bf4bca1e273859f50a0868e479443845b79
- SSDEEP
  
  1536:PpUJsMq8nDNrnUtvDqJ55fNBVcmiCxmeZUUfOxxjDRvgdi0/z/jHNq8wR4vyKT:/6nlnZX17rpLfOz3t8FLti4v
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan