tofsee | 3e5d30f259b40ab127bba4769025389b12bf665b30d08d2f4a4f250f923dc724 | Triage

Sharing

General

Target

2025-02-02_e39357b928ca044e73012265da182453_mafia
Size

12.9MB
Sample

250202-ylg19swmfx
MD5

e39357b928ca044e73012265da182453
SHA1

2dc6844a2f158f1d8902bfa57cb2e2caa31e8572
SHA256

3e5d30f259b40ab127bba4769025389b12bf665b30d08d2f4a4f250f923dc724
SHA512

5cd11ab9a7d1cbb699219f182bc7ac83207b2759047b6385ff283c86cd306d1329ae70842c5634c84f322c719020ef6c2286cd31a7347b3e35f11fa8e66a8804
SSDEEP

6144:8LQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQ:xTYe+D2jFu+iZoUFhAz

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-02-02_e39357b928ca044e73012265da182453_mafia
- Size
  
  12.9MB
- MD5
  
  e39357b928ca044e73012265da182453
- SHA1
  
  2dc6844a2f158f1d8902bfa57cb2e2caa31e8572
- SHA256
  
  3e5d30f259b40ab127bba4769025389b12bf665b30d08d2f4a4f250f923dc724
- SHA512
  
  5cd11ab9a7d1cbb699219f182bc7ac83207b2759047b6385ff283c86cd306d1329ae70842c5634c84f322c719020ef6c2286cd31a7347b3e35f11fa8e66a8804
- SSDEEP
  
  6144:8LQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQ:xTYe+D2jFu+iZoUFhAz
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan