tofsee | 36625804f1099ea6e06a519a470c8a82b97aa4e7648a257b72182a60c1d277a6 | Triage

Sharing

General

Target

2025-02-07_84bf7d5589f060ac9be7580ba979152d_mafia
Size

11.2MB
Sample

250207-z2fzksxpgt
MD5

84bf7d5589f060ac9be7580ba979152d
SHA1

5ccd57c2b6b7672625c156155e3f1c52fffbb8f6
SHA256

36625804f1099ea6e06a519a470c8a82b97aa4e7648a257b72182a60c1d277a6
SHA512

761fd1b449310b223f9162ce688d4f1cd3b663cfeac359624c35fdb2cd75f2dfad50f3e5b643bd12bc1b74d4c8818e5a9622688da6acc2d65c5e724968686e4d
SSDEEP

196608:xyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXH:cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-02-07_84bf7d5589f060ac9be7580ba979152d_mafia
- Size
  
  11.2MB
- MD5
  
  84bf7d5589f060ac9be7580ba979152d
- SHA1
  
  5ccd57c2b6b7672625c156155e3f1c52fffbb8f6
- SHA256
  
  36625804f1099ea6e06a519a470c8a82b97aa4e7648a257b72182a60c1d277a6
- SHA512
  
  761fd1b449310b223f9162ce688d4f1cd3b663cfeac359624c35fdb2cd75f2dfad50f3e5b643bd12bc1b74d4c8818e5a9622688da6acc2d65c5e724968686e4d
- SSDEEP
  
  196608:xyXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXH:cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan