tofsee | 94d2886b9a43d885420c56ed2fbb1cfab5bcba56a586147e3c85105fe9811ed6 | Triage

Sharing

General

Target

2025-01-27_5bc75a30d7408b73c62555e1e6bad49c_mafia
Size

10.3MB
Sample

250127-m6vmbawpep
MD5

5bc75a30d7408b73c62555e1e6bad49c
SHA1

f9c5e43e43b879c87554a8a75a37c12e3b0b0d06
SHA256

94d2886b9a43d885420c56ed2fbb1cfab5bcba56a586147e3c85105fe9811ed6
SHA512

8cb2983b82d6246126da4782e6a2990598fc898eb4560280c1fe6b0399f2421d9e313816f77bd48ecd2f5b3eb8bb393ed2e7660185a5502181ee99ae14d71e74
SSDEEP

24576:UEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZg:xfotq

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-01-27_5bc75a30d7408b73c62555e1e6bad49c_mafia
- Size
  
  10.3MB
- MD5
  
  5bc75a30d7408b73c62555e1e6bad49c
- SHA1
  
  f9c5e43e43b879c87554a8a75a37c12e3b0b0d06
- SHA256
  
  94d2886b9a43d885420c56ed2fbb1cfab5bcba56a586147e3c85105fe9811ed6
- SHA512
  
  8cb2983b82d6246126da4782e6a2990598fc898eb4560280c1fe6b0399f2421d9e313816f77bd48ecd2f5b3eb8bb393ed2e7660185a5502181ee99ae14d71e74
- SSDEEP
  
  24576:UEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZg:xfotq
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan