tofsee | 79d3cfabbde62600f74af50d8585ee6d0fbac3739a93d6f8a38a4b9f6e066e5e | Triage

Sharing

General

Target

2024-11-10_6c798b40326240e996f80aae14a6eb22_mafia
Size

12.4MB
Sample

241110-xlqsqssgkl
MD5

6c798b40326240e996f80aae14a6eb22
SHA1

36a67317530c39bfc6e326cb00b7bee94f9d33e7
SHA256

79d3cfabbde62600f74af50d8585ee6d0fbac3739a93d6f8a38a4b9f6e066e5e
SHA512

9534dff70e8a8f7f2aace258f9cbf81bbf684b096eca11b76e1a3e8a4f96c690267ddf87c7ac60145814670669ad459e0e9c5fbcad68ad77af8f0b0b5ed302f2
SSDEEP

49152:+Vdrl/8HAzGCbGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGv:+Vdrl/9zG

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2024-11-10_6c798b40326240e996f80aae14a6eb22_mafia
- Size
  
  12.4MB
- MD5
  
  6c798b40326240e996f80aae14a6eb22
- SHA1
  
  36a67317530c39bfc6e326cb00b7bee94f9d33e7
- SHA256
  
  79d3cfabbde62600f74af50d8585ee6d0fbac3739a93d6f8a38a4b9f6e066e5e
- SHA512
  
  9534dff70e8a8f7f2aace258f9cbf81bbf684b096eca11b76e1a3e8a4f96c690267ddf87c7ac60145814670669ad459e0e9c5fbcad68ad77af8f0b0b5ed302f2
- SSDEEP
  
  49152:+Vdrl/8HAzGCbGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGv:+Vdrl/9zG
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan