tofsee | e43e5ab74abfb739e8fd709e7153efc24afaae103f5dedf1aa2ec1e052d25d87 | Triage

Sharing

General

Target

2025-04-24_e952190a98c53f52a1252fd9c91926bb_black-basta_elex_luca-stealer_smoke-loader
Size

14.5MB
Sample

250424-svdsbazjx3
MD5

e952190a98c53f52a1252fd9c91926bb
SHA1

17ce5e5074bb0eb460e9d2e10a8290013be96e0f
SHA256

e43e5ab74abfb739e8fd709e7153efc24afaae103f5dedf1aa2ec1e052d25d87
SHA512

e249ce6efff9a6f2a7d9407058528a80784b737a546004ac0deb6df55ea8fa1f44601d74937df0eb81ec212e3a41a2a5b93ba52af7e07020ffc519b80781df93
SSDEEP

3072:VZnbTHQC2mC+vdVcQuHAGSr9viHWhPxO796t6B7Aw5S2FxmEBVrVrVrVrVrVrVrM:vnJjcngGSrlqFp6kCyxT0

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

- Target
  
  2025-04-24_e952190a98c53f52a1252fd9c91926bb_black-basta_elex_luca-stealer_smoke-loader
- Size
  
  14.5MB
- MD5
  
  e952190a98c53f52a1252fd9c91926bb
- SHA1
  
  17ce5e5074bb0eb460e9d2e10a8290013be96e0f
- SHA256
  
  e43e5ab74abfb739e8fd709e7153efc24afaae103f5dedf1aa2ec1e052d25d87
- SHA512
  
  e249ce6efff9a6f2a7d9407058528a80784b737a546004ac0deb6df55ea8fa1f44601d74937df0eb81ec212e3a41a2a5b93ba52af7e07020ffc519b80781df93
- SSDEEP
  
  3072:VZnbTHQC2mC+vdVcQuHAGSr9viHWhPxO796t6B7Aw5S2FxmEBVrVrVrVrVrVrVrM:vnJjcngGSrlqFp6kCyxT0
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseediscoverytrojan