tofsee | 6fda24d69c23139069d2457ba943191803a5893c0822d782f5c7e199e44558b2 | Triage

Sharing

General

Target

2025-04-24_51a28de8a1c2cfeb792e5ef402040552_amadey_elex_rhadamanthys_smoke-loader
Size

10.1MB
Sample

250424-tzf9ns1pw3
MD5

51a28de8a1c2cfeb792e5ef402040552
SHA1

7bdee4555e81ead670416103f848b00443b33794
SHA256

6fda24d69c23139069d2457ba943191803a5893c0822d782f5c7e199e44558b2
SHA512

175bb524bf4360d7c4edaaea59e293c04da396eb26e21eb35f863ce9e19255bed5e5496f8d8d370c10f3f22d06bcab6b232cebe4ad1b6f122ba80168ee18de3c
SSDEEP

24576:fN3cxFN3RaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRH:fNA3

Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  2025-04-24_51a28de8a1c2cfeb792e5ef402040552_amadey_elex_rhadamanthys_smoke-loader
- Size
  
  10.1MB
- MD5
  
  51a28de8a1c2cfeb792e5ef402040552
- SHA1
  
  7bdee4555e81ead670416103f848b00443b33794
- SHA256
  
  6fda24d69c23139069d2457ba943191803a5893c0822d782f5c7e199e44558b2
- SHA512
  
  175bb524bf4360d7c4edaaea59e293c04da396eb26e21eb35f863ce9e19255bed5e5496f8d8d370c10f3f22d06bcab6b232cebe4ad1b6f122ba80168ee18de3c
- SSDEEP
  
  24576:fN3cxFN3RaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRaRH:fNA3
Score

10^/10

tofsee defense_evasion discovery execution persistence privilege_escalation trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

behavioral2

tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan