tofsee | de2f8364ba3eec3963be343dbe4483357092b80173664702d0bb9069c8a7da08 | Triage

Sharing

General

Target

de2f8364ba3eec3963be343dbe4483357092b80173664702d0bb9069c8a7da08.exe
Size

10.6MB
Sample

241124-erjmhatkft
MD5

599879f0d1c0cd8dbab720e9b8b9f963
SHA1

af7e923a872f9480fa8880e13684bf5a8dcf3db3
SHA256

de2f8364ba3eec3963be343dbe4483357092b80173664702d0bb9069c8a7da08
SHA512

09a5a69e59f4f23b9be160da9d8d6eb87e594ce100acddf0d968d7c4600fdf9ca96b90df7add41fc8607f4fee357176d45b5b7c0dcdbda9d4572f8b4a6c605fb
SSDEEP

6144:jeaRFeYiZtnsLs/Xyihb124uKPoifbY/3sGIU5N5Z:jF7/iZtRXpu3ijwf5TZ

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

defeatwax.ru

refabyd.info

Targets

- Target
  
  de2f8364ba3eec3963be343dbe4483357092b80173664702d0bb9069c8a7da08.exe
- Size
  
  10.6MB
- MD5
  
  599879f0d1c0cd8dbab720e9b8b9f963
- SHA1
  
  af7e923a872f9480fa8880e13684bf5a8dcf3db3
- SHA256
  
  de2f8364ba3eec3963be343dbe4483357092b80173664702d0bb9069c8a7da08
- SHA512
  
  09a5a69e59f4f23b9be160da9d8d6eb87e594ce100acddf0d968d7c4600fdf9ca96b90df7add41fc8607f4fee357176d45b5b7c0dcdbda9d4572f8b4a6c605fb
- SSDEEP
  
  6144:jeaRFeYiZtnsLs/Xyihb124uKPoifbY/3sGIU5N5Z:jF7/iZtRXpu3ijwf5TZ
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan