tofsee | e462a4edf20e32317f6164ab0eb8bcbf34e6e4adaa5c6c51f38e678bfc486944 | Triage

Sharing

General

Target

2025-02-01_f7da13f615639ece98410f33d193d766_mafia
Size

14.1MB
Sample

250201-n86b9s1mct
MD5

f7da13f615639ece98410f33d193d766
SHA1

3ff4669bef39fbec5c96038aac654faa8d7de61d
SHA256

e462a4edf20e32317f6164ab0eb8bcbf34e6e4adaa5c6c51f38e678bfc486944
SHA512

3d9b59b17b682fde082029b168a06a27a57ebe931827d4047ed8fe2eae07bcb1b37a8671238e677b89c6a819d3c2400044c2ad698c3a953fa83834c6825669ae
SSDEEP

24576:rEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZp:4fotT

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-02-01_f7da13f615639ece98410f33d193d766_mafia
- Size
  
  14.1MB
- MD5
  
  f7da13f615639ece98410f33d193d766
- SHA1
  
  3ff4669bef39fbec5c96038aac654faa8d7de61d
- SHA256
  
  e462a4edf20e32317f6164ab0eb8bcbf34e6e4adaa5c6c51f38e678bfc486944
- SHA512
  
  3d9b59b17b682fde082029b168a06a27a57ebe931827d4047ed8fe2eae07bcb1b37a8671238e677b89c6a819d3c2400044c2ad698c3a953fa83834c6825669ae
- SSDEEP
  
  24576:rEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZp:4fotT
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan