tofsee | eb1b2feb98b59beb0cd5075eac33337fa02a833b70bccd700c7ed03058064324 | Triage

Sharing

General

Target

2025-02-08_cfe362a77d9e209fcc14e0ec1d3d41c4_mafia
Size

12.4MB
Sample

250208-bdvwtsxqgm
MD5

cfe362a77d9e209fcc14e0ec1d3d41c4
SHA1

46ef445a2451b71801e75698aae629a6fd23b71b
SHA256

eb1b2feb98b59beb0cd5075eac33337fa02a833b70bccd700c7ed03058064324
SHA512

795a15b7fc1075824b37440fa7e03cd475c7a1c48607f713b18ed1eb99c1d54199daaef7ea575eb70f13fa6b761cb45371ae6918feb3521cea0e7d4a99d11653
SSDEEP

3072:XLBgXOXcdW8tar7vGdq8c7YMl2b8anmMXnb58XuDP9het3Zv1oSW1za2E+w5C2/Y:uOMdRQr7OB0ypmMXnl8XEPM3noSWOC

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-02-08_cfe362a77d9e209fcc14e0ec1d3d41c4_mafia
- Size
  
  12.4MB
- MD5
  
  cfe362a77d9e209fcc14e0ec1d3d41c4
- SHA1
  
  46ef445a2451b71801e75698aae629a6fd23b71b
- SHA256
  
  eb1b2feb98b59beb0cd5075eac33337fa02a833b70bccd700c7ed03058064324
- SHA512
  
  795a15b7fc1075824b37440fa7e03cd475c7a1c48607f713b18ed1eb99c1d54199daaef7ea575eb70f13fa6b761cb45371ae6918feb3521cea0e7d4a99d11653
- SSDEEP
  
  3072:XLBgXOXcdW8tar7vGdq8c7YMl2b8anmMXnb58XuDP9het3Zv1oSW1za2E+w5C2/Y:uOMdRQr7OB0ypmMXnl8XEPM3noSWOC
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan