tofsee | ed3d51d8d09ff9f79b03d40fb912639f24094280abbf068d861780b5a440545e | Triage

Sharing

General

Target

2025-01-13_8f99b8d69deb167959d1393683ef98cf_mafia
Size

12.7MB
Sample

250113-x5zvravlas
MD5

8f99b8d69deb167959d1393683ef98cf
SHA1

6de38f45f39789d19b16585de4253305bd7fe37f
SHA256

ed3d51d8d09ff9f79b03d40fb912639f24094280abbf068d861780b5a440545e
SHA512

dbbe11ee848813339c5f3652d934f33348277e43ad5f5e0bcfb0cf9091a163999b40f140a1b49629ba936cf979f4ed42299931eaf440ac780e4f0ade70f05e1b
SSDEEP

24576:UpomTTN9ttttttttttttttttttttttttttttttttttttttttttttttttttttttt3:goo

Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-01-13_8f99b8d69deb167959d1393683ef98cf_mafia
- Size
  
  12.7MB
- MD5
  
  8f99b8d69deb167959d1393683ef98cf
- SHA1
  
  6de38f45f39789d19b16585de4253305bd7fe37f
- SHA256
  
  ed3d51d8d09ff9f79b03d40fb912639f24094280abbf068d861780b5a440545e
- SHA512
  
  dbbe11ee848813339c5f3652d934f33348277e43ad5f5e0bcfb0cf9091a163999b40f140a1b49629ba936cf979f4ed42299931eaf440ac780e4f0ade70f05e1b
- SSDEEP
  
  24576:UpomTTN9ttttttttttttttttttttttttttttttttttttttttttttttttttttttt3:goo
Score

10^/10

tofsee discovery evasion execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan