Tofsee (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.tofsee (Back to overview)

Tofsee

aka: Gheg

VTCollection URLhaus

According to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.

Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.

References

2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar

2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee

2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar

2023-04-10 ⋅ Check Point ⋅ Check Point
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee

2023-04-06 ⋅ Spamhaus ⋅ Raashid Bhat
Neutralizing Tofsee Spambot – Part 1 | Binary file vaccine
Tofsee

2023-04-06 ⋅ Spamhaus ⋅ Raashid Bhat
Neutralizing Tofsee Spambot – Part 2 | InMemoryConfig store vaccine
Tofsee

2023-04-06 ⋅ Spamhaus ⋅ Raashid Bhat
Neutralizing Tofsee Spambot – Part 3 | Network-based kill switch
Tofsee

2023-03-28 ⋅ BitSight ⋅ André Tavares
Tofsee Botnet: Proxying and Mining
Tofsee

2022-11-21 ⋅ Github (larsborn) ⋅ Lars Wallenborn
Tofsee String Decryption Code
Tofsee

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-02-11 ⋅ Cisco Talos ⋅ Talos
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus

2022-02-08 ⋅ Intel 471 ⋅ Intel 471
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar

2021-05-17 ⋅ Dragos ⋅ Kent Backman
Investigating the Watering Hole Linked to the Oldsmar Water Treatment Facility Breach
Tofsee

2017-10-19 ⋅ CERT.PL ⋅ Jarosław Jedynak
A deeper look at Tofsee modules
Tofsee

2017-10-06 ⋅ CERT.PL ⋅ Jarosław Jedynak, Maciej Kotowicz
Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee

2017-03-24 ⋅ Zerophage
Terror EK via Malvertising delivers Tofsee Spambot
Tofsee

2016-12-22 ⋅ GovCERT.ch ⋅ GovCERT.ch
Tofsee Spambot features .ch DGA - Reversal and Countermesaures
Tofsee

2016-09-29 ⋅ Cisco Talos ⋅ Edmund Brumaghin
Want Tofsee My Pictures? A Botnet Gets Aggressive
Tofsee

2016-09-16 ⋅ CERT.PL ⋅ Adam Krasuski
Tofsee – modular spambot
Tofsee

2014-04-02 ⋅ Virus Bulletin ⋅ Ryan Mi
Tofsee botnet
Tofsee

2009-03-17 ⋅ Marshal8e6 ⋅ Rodel Mendrez
Gheg spambot
Tofsee

Yara Rules

[TLP:WHITE] win_tofsee_auto (20260504 | Detects win.tofsee.)

rule win_tofsee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tofsee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 397e0c 7421 397e10 741c 8d4614 50 }
            // n = 6, score = 400
            //   397e0c               | cmp                 dword ptr [esi + 0xc], edi
            //   7421                 | je                  0x23
            //   397e10               | cmp                 dword ptr [esi + 0x10], edi
            //   741c                 | je                  0x1e
            //   8d4614               | lea                 eax, [esi + 0x14]
            //   50                   | push                eax

        $sequence_1 = { 8bf8 8b473c 8b5c3850 6a04 be00100000 56 53 }
            // n = 7, score = 400
            //   8bf8                 | mov                 edi, eax
            //   8b473c               | mov                 eax, dword ptr [edi + 0x3c]
            //   8b5c3850             | mov                 ebx, dword ptr [eax + edi + 0x50]
            //   6a04                 | push                4
            //   be00100000           | mov                 esi, 0x1000
            //   56                   | push                esi
            //   53                   | push                ebx

        $sequence_2 = { 8d85d0feffff 50 ff15???????? 8b45e0 c68405d1feffff00 8b4508 2b45f0 }
            // n = 7, score = 400
            //   8d85d0feffff         | lea                 eax, [ebp - 0x130]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   c68405d1feffff00     | mov                 byte ptr [ebp + eax - 0x12f], 0
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   2b45f0               | sub                 eax, dword ptr [ebp - 0x10]

        $sequence_3 = { 59 59 89442420 0f84df000000 2174241c 21742418 }
            // n = 6, score = 400
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   0f84df000000         | je                  0xe5
            //   2174241c             | and                 dword ptr [esp + 0x1c], esi
            //   21742418             | and                 dword ptr [esp + 0x18], esi

        $sequence_4 = { 81ecac050000 83656c00 83654800 56 57 }
            // n = 5, score = 400
            //   81ecac050000         | sub                 esp, 0x5ac
            //   83656c00             | and                 dword ptr [ebp + 0x6c], 0
            //   83654800             | and                 dword ptr [ebp + 0x48], 0
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_5 = { 8935???????? 891d???????? 891d???????? 891d???????? 8935???????? c705????????05000000 c705????????30750000 }
            // n = 7, score = 400
            //   8935????????         |                     
            //   891d????????         |                     
            //   891d????????         |                     
            //   891d????????         |                     
            //   8935????????         |                     
            //   c705????????05000000     |     
            //   c705????????30750000     |     

        $sequence_6 = { 85c0 7410 8a442410 c0e004 02442414 884645 eb03 }
            // n = 7, score = 400
            //   85c0                 | test                eax, eax
            //   7410                 | je                  0x12
            //   8a442410             | mov                 al, byte ptr [esp + 0x10]
            //   c0e004               | shl                 al, 4
            //   02442414             | add                 al, byte ptr [esp + 0x14]
            //   884645               | mov                 byte ptr [esi + 0x45], al
            //   eb03                 | jmp                 5

        $sequence_7 = { 48 743a 48 741f 48 755d ff36 }
            // n = 7, score = 400
            //   48                   | dec                 eax
            //   743a                 | je                  0x3c
            //   48                   | dec                 eax
            //   741f                 | je                  0x21
            //   48                   | dec                 eax
            //   755d                 | jne                 0x5f
            //   ff36                 | push                dword ptr [esi]

        $sequence_8 = { e8???????? 59 59 83fb05 0f8c58010000 80bc1d7ffbffff0a 0f854a010000 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   83fb05               | cmp                 ebx, 5
            //   0f8c58010000         | jl                  0x15e
            //   80bc1d7ffbffff0a     | cmp                 byte ptr [ebp + ebx - 0x481], 0xa
            //   0f854a010000         | jne                 0x150

        $sequence_9 = { 55 8bec 53 56 57 e8???????? bf???????? }
            // n = 7, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   bf????????           |                     

    condition:
        7 of them and filesize < 147456
}

[TLP:WHITE] win_tofsee_w0 (20171121 | No description)

rule win_tofsee_w0 {
    meta:
        author="akrasuski1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20171121"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:

        $decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
        $xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
        $xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}

        $string_res1 = "loader_id"
        $string_res2 = "born_date"
        $string_res3 = "work_srv"
        $string_res4 = "flags_upd"
        $string_res5 = "lid_file_upd"
        $string_res6 = "localcfg"

        $string_var0 = "%RND_NUM"
        $string_var1 = "%SYS_JR"
        $string_var2 = "%SYS_N"
        $string_var3 = "%SYS_RN"
        $string_var4 = "%RND_SPACE"
        $string_var5 = "%RND_DIGIT"
        $string_var6 = "%RND_HEX"
        $string_var7 = "%RND_hex"
        $string_var8 = "%RND_char"
        $string_var9 = "%RND_CHAR"

    condition:
        (7 of ($string_var*) and 4 of ($string_res*))
        or
        (7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
        or
        (4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
}

Download all Yara Rules

Tofsee Propose Change

References

Yara Rules

Tofsee