tofsee | b773db8667f1e274bf3d8a8ed055aa965225ba25657b2a36cf14d3e3cb99c04b | Triage

Sharing

General

Target

2025-02-02_8ba4ff4266813dc16c13f8e327ce7d38_mafia
Size

12.4MB
Sample

250202-bfvc3sykds
MD5

8ba4ff4266813dc16c13f8e327ce7d38
SHA1

4f10ae5cc18a7229de3c86a128fa015b89c69db1
SHA256

b773db8667f1e274bf3d8a8ed055aa965225ba25657b2a36cf14d3e3cb99c04b
SHA512

8009b5bf8ba17783e4b3c0c31fc19a17bcbbab8792d3d8025c7f516fb9e03db762475f1e13864b83951bd356c5277f5d64a4758a689bdcf6af21ae411dd11023
SSDEEP

24576:HEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZL:kfot

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-02-02_8ba4ff4266813dc16c13f8e327ce7d38_mafia
- Size
  
  12.4MB
- MD5
  
  8ba4ff4266813dc16c13f8e327ce7d38
- SHA1
  
  4f10ae5cc18a7229de3c86a128fa015b89c69db1
- SHA256
  
  b773db8667f1e274bf3d8a8ed055aa965225ba25657b2a36cf14d3e3cb99c04b
- SHA512
  
  8009b5bf8ba17783e4b3c0c31fc19a17bcbbab8792d3d8025c7f516fb9e03db762475f1e13864b83951bd356c5277f5d64a4758a689bdcf6af21ae411dd11023
- SSDEEP
  
  24576:HEfmTNIkv/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZL:kfot
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan