tofsee | 83fcc1ada2ba29218388ebae476780e2d1b60ce6123bffbdca8398688fe037d1 | Triage

Sharing

General

Target

2025-03-30_437f4774772119f35bb3028350385af6_amadey_rhadamanthys_smoke-loader
Size

10.6MB
Sample

250330-k96smsvyds
MD5

437f4774772119f35bb3028350385af6
SHA1

1cf78bdcdb449015f41ca0d6e7fc32081591cec4
SHA256

83fcc1ada2ba29218388ebae476780e2d1b60ce6123bffbdca8398688fe037d1
SHA512

58831d413e37cae3ca24f5588390c0ff9eb3ea56207a0615d6c436c00a89bd1cf6117ffeaab718b7d98a947982c60764a2b88ed3ef6b77256adc77a6908f65a6
SSDEEP

3072:cCLVCtykRk5Kws3LQfNeBVe/KyNDrr91m:/eyki5KnUfNeBVe/E

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-03-30_437f4774772119f35bb3028350385af6_amadey_rhadamanthys_smoke-loader
- Size
  
  10.6MB
- MD5
  
  437f4774772119f35bb3028350385af6
- SHA1
  
  1cf78bdcdb449015f41ca0d6e7fc32081591cec4
- SHA256
  
  83fcc1ada2ba29218388ebae476780e2d1b60ce6123bffbdca8398688fe037d1
- SHA512
  
  58831d413e37cae3ca24f5588390c0ff9eb3ea56207a0615d6c436c00a89bd1cf6117ffeaab718b7d98a947982c60764a2b88ed3ef6b77256adc77a6908f65a6
- SSDEEP
  
  3072:cCLVCtykRk5Kws3LQfNeBVe/KyNDrr91m:/eyki5KnUfNeBVe/E
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Windows security bypass
  defense_evasion trojan
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan