SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tofsee (Back to overview)

Tofsee

aka: Gheg
URLhaus    

There is no description at this point.

References
2022-11-21Github (larsborn)Lars Wallenborn
@online{wallenborn:20221121:tofsee:8a0c345, author = {Lars Wallenborn}, title = {{Tofsee String Decryption Code}}, date = {2022-11-21}, organization = {Github (larsborn)}, url = {https://gist.github.com/larsborn/0ec24d7b294248c51de0c3335802cbd4}, language = {English}, urldate = {2022-11-25} } Tofsee String Decryption Code
Tofsee
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-02-11Cisco TalosTalos
@online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2021-05-17DragosKent Backman
@online{backman:20210517:investigating:447e111, author = {Kent Backman}, title = {{Investigating the Watering Hole Linked to the Oldsmar Water Treatment Facility Breach}}, date = {2021-05-17}, organization = {Dragos}, url = {https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/}, language = {English}, urldate = {2021-05-19} } Investigating the Watering Hole Linked to the Oldsmar Water Treatment Facility Breach
Tofsee
2017-10-19CERT.PLJarosław Jedynak
@online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } A deeper look at Tofsee modules
Tofsee
2017-10-06CERT.PLMaciej Kotowicz, Jarosław Jedynak
@techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee
2017-03-24Zerophage
@online{zerophage:20170324:terror:b7e48b2, author = {Zerophage}, title = {{Terror EK via Malvertising delivers Tofsee Spambot}}, date = {2017-03-24}, url = {https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/}, language = {English}, urldate = {2020-01-05} } Terror EK via Malvertising delivers Tofsee Spambot
Tofsee
2016-09-16CERT.PLAdam Krasuski
@online{krasuski:20160916:tofsee:79a1d35, author = {Adam Krasuski}, title = {{Tofsee – modular spambot}}, date = {2016-09-16}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/tofsee-en/}, language = {English}, urldate = {2020-01-13} } Tofsee – modular spambot
Tofsee
Yara Rules
[TLP:WHITE] win_tofsee_auto (20230125 | Detects win.tofsee.)
rule win_tofsee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.tofsee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41 890e c60000 eb07 8b45f0 830c30ff 83c604 }
            // n = 7, score = 400
            //   41                   | inc                 ecx
            //   890e                 | mov                 dword ptr [esi], ecx
            //   c60000               | mov                 byte ptr [eax], 0
            //   eb07                 | jmp                 9
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   830c30ff             | or                  dword ptr [eax + esi], 0xffffffff
            //   83c604               | add                 esi, 4

        $sequence_1 = { 83e001 895108 c3 55 8bec 83ec14 53 }
            // n = 7, score = 400
            //   83e001               | and                 eax, 1
            //   895108               | mov                 dword ptr [ecx + 8], edx
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14
            //   53                   | push                ebx

        $sequence_2 = { 56 a3???????? e8???????? 6a28 68???????? 57 56 }
            // n = 7, score = 400
            //   56                   | push                esi
            //   a3????????           |                     
            //   e8????????           |                     
            //   6a28                 | push                0x28
            //   68????????           |                     
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_3 = { 6a7d 50 e8???????? 85c0 59 59 }
            // n = 6, score = 400
            //   6a7d                 | push                0x7d
            //   50                   | push                eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_4 = { 5f 83660c00 8bce 5e e9???????? 53 56 }
            // n = 7, score = 400
            //   5f                   | pop                 edi
            //   83660c00             | and                 dword ptr [esi + 0xc], 0
            //   8bce                 | mov                 ecx, esi
            //   5e                   | pop                 esi
            //   e9????????           |                     
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_5 = { e8???????? 83c40c 8d85d8fcffff 50 ff75f4 ff15???????? 85c0 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85d8fcffff         | lea                 eax, [ebp - 0x328]
            //   50                   | push                eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { 83f8ff 0f84d3000000 6639b58efeffff 8975f8 8975f4 7663 6a28 }
            // n = 7, score = 400
            //   83f8ff               | cmp                 eax, -1
            //   0f84d3000000         | je                  0xd9
            //   6639b58efeffff       | cmp                 word ptr [ebp - 0x172], si
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   8975f4               | mov                 dword ptr [ebp - 0xc], esi
            //   7663                 | jbe                 0x65
            //   6a28                 | push                0x28

        $sequence_7 = { 50 ff75fc e8???????? 83c418 85c0 7f55 ff75fc }
            // n = 7, score = 400
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   85c0                 | test                eax, eax
            //   7f55                 | jg                  0x57
            //   ff75fc               | push                dword ptr [ebp - 4]

        $sequence_8 = { 2bd0 03c1 2bd1 8b4df4 8d443030 52 50 }
            // n = 7, score = 400
            //   2bd0                 | sub                 edx, eax
            //   03c1                 | add                 eax, ecx
            //   2bd1                 | sub                 edx, ecx
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8d443030             | lea                 eax, [eax + esi + 0x30]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_9 = { 50 ff15???????? eb05 bf80000000 33c0 50 57 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   ff15????????         |                     
            //   eb05                 | jmp                 7
            //   bf80000000           | mov                 edi, 0x80
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   57                   | push                edi

    condition:
        7 of them and filesize < 147456
}
[TLP:WHITE] win_tofsee_w0   (20171121 | No description)
rule win_tofsee_w0 {
    meta:
        author="akrasuski1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20171121"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:

        $decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
        $xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
        $xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}

        $string_res1 = "loader_id"
        $string_res2 = "born_date"
        $string_res3 = "work_srv"
        $string_res4 = "flags_upd"
        $string_res5 = "lid_file_upd"
        $string_res6 = "localcfg"

        $string_var0 = "%RND_NUM"
        $string_var1 = "%SYS_JR"
        $string_var2 = "%SYS_N"
        $string_var3 = "%SYS_RN"
        $string_var4 = "%RND_SPACE"
        $string_var5 = "%RND_DIGIT"
        $string_var6 = "%RND_HEX"
        $string_var7 = "%RND_hex"
        $string_var8 = "%RND_char"
        $string_var9 = "%RND_CHAR"

    condition:
        (7 of ($string_var*) and 4 of ($string_res*))
        or
        (7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
        or
        (4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
}
Download all Yara Rules