tofsee | a737bd18b9e6f84a049a7a74b4e746729bf8a60caba2267d86f468ee20a7409d | Triage

Sharing

General

Target

2025-02-05_0b402788ae36bf573d6e69354c37f310_mafia
Size

11.1MB
Sample

250205-2zkk4axlbk
MD5

0b402788ae36bf573d6e69354c37f310
SHA1

7e6265eebfb3fda97e75837d6376fa1386e603b8
SHA256

a737bd18b9e6f84a049a7a74b4e746729bf8a60caba2267d86f468ee20a7409d
SHA512

dd68e8e92ebc8a955149c539df14e4b34276b51c7a1df8233a0a7923a3ac565417dbdf0b0e834ad62198382349dfa23e66994fcf641fea8f8c09f19917ce67e8
SSDEEP

6144:cLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQG:RTYe+D2jFu+iZoUFhAzH

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-02-05_0b402788ae36bf573d6e69354c37f310_mafia
- Size
  
  11.1MB
- MD5
  
  0b402788ae36bf573d6e69354c37f310
- SHA1
  
  7e6265eebfb3fda97e75837d6376fa1386e603b8
- SHA256
  
  a737bd18b9e6f84a049a7a74b4e746729bf8a60caba2267d86f468ee20a7409d
- SHA512
  
  dd68e8e92ebc8a955149c539df14e4b34276b51c7a1df8233a0a7923a3ac565417dbdf0b0e834ad62198382349dfa23e66994fcf641fea8f8c09f19917ce67e8
- SSDEEP
  
  6144:cLQ1p/2p5e+D2jFHO+iZoy6u9FlfrXEz9NQNQNQNQNQNQNQNQNQNQNQNQNQNQNQG:RTYe+D2jFu+iZoUFhAzH
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan