tofsee | 710bc2bf55462500540675be0f0310615feab68b516920490cfbc7024a2e9c10 | Triage

Sharing

General

Target

2025-01-28_c062307017454af9e7f89920ca5225b3_mafia
Size

11.7MB
Sample

250128-tezwaawqgr
MD5

c062307017454af9e7f89920ca5225b3
SHA1

933fb5be727d82d4fd302e377619e07bc55ca490
SHA256

710bc2bf55462500540675be0f0310615feab68b516920490cfbc7024a2e9c10
SHA512

1d667e99d7f1f462f87dd82266ded0fb053074975270cdb25f278951a7580d63699f442b328b17caf122cd81a213b9a1dfecff86c9d7fbd57d9b4e07b54960cf
SSDEEP

6144:zLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQ8:ITYe+D2jFu+iZoUFhAzh

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-01-28_c062307017454af9e7f89920ca5225b3_mafia
- Size
  
  11.7MB
- MD5
  
  c062307017454af9e7f89920ca5225b3
- SHA1
  
  933fb5be727d82d4fd302e377619e07bc55ca490
- SHA256
  
  710bc2bf55462500540675be0f0310615feab68b516920490cfbc7024a2e9c10
- SHA512
  
  1d667e99d7f1f462f87dd82266ded0fb053074975270cdb25f278951a7580d63699f442b328b17caf122cd81a213b9a1dfecff86c9d7fbd57d9b4e07b54960cf
- SSDEEP
  
  6144:zLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQ8:ITYe+D2jFu+iZoUFhAzh
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan