SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tofsee (Back to overview)

Tofsee

aka: Gheg
URLhaus    

There is no description at this point.

References
2022-02-11Cisco TalosTalos
@online{talos:20220211:threat:fcad762, author = {Talos}, title = {{Threat Roundup for February 4 to February 11}}, date = {2022-02-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html}, language = {English}, urldate = {2022-02-14} } Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus
2022-02-08Intel 471Intel 471
@online{471:20220208:privateloader:5e226cd, author = {Intel 471}, title = {{PrivateLoader: The first step in many malware schemes}}, date = {2022-02-08}, organization = {Intel 471}, url = {https://intel471.com/blog/privateloader-malware}, language = {English}, urldate = {2022-05-09} } PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2021-05-17DragosKent Backman
@online{backman:20210517:investigating:447e111, author = {Kent Backman}, title = {{Investigating the Watering Hole Linked to the Oldsmar Water Treatment Facility Breach}}, date = {2021-05-17}, organization = {Dragos}, url = {https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/}, language = {English}, urldate = {2021-05-19} } Investigating the Watering Hole Linked to the Oldsmar Water Treatment Facility Breach
Tofsee
2017-10-19CERT.PLJarosław Jedynak
@online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } A deeper look at Tofsee modules
Tofsee
2017-10-06CERT.PLMaciej Kotowicz, Jarosław Jedynak
@techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee
2017-03-24Zerophage
@online{zerophage:20170324:terror:b7e48b2, author = {Zerophage}, title = {{Terror EK via Malvertising delivers Tofsee Spambot}}, date = {2017-03-24}, url = {https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/}, language = {English}, urldate = {2020-01-05} } Terror EK via Malvertising delivers Tofsee Spambot
Tofsee
2016-09-16CERT.PLAdam Krasuski
@online{krasuski:20160916:tofsee:79a1d35, author = {Adam Krasuski}, title = {{Tofsee – modular spambot}}, date = {2016-09-16}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/tofsee-en/}, language = {English}, urldate = {2020-01-13} } Tofsee – modular spambot
Tofsee
Yara Rules
[TLP:WHITE] win_tofsee_auto (20220411 | Detects win.tofsee.)
rule win_tofsee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.tofsee."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33ff e8???????? 8b35???????? 81fe???????? 59 742b 397e08 }
            // n = 7, score = 400
            //   33ff                 | xor                 edi, edi
            //   e8????????           |                     
            //   8b35????????         |                     
            //   81fe????????         |                     
            //   59                   | pop                 ecx
            //   742b                 | je                  0x2d
            //   397e08               | cmp                 dword ptr [esi + 8], edi

        $sequence_1 = { 33f6 8d8584feffff 56 50 e8???????? 8b03 }
            // n = 6, score = 400
            //   33f6                 | xor                 esi, esi
            //   8d8584feffff         | lea                 eax, dword ptr [ebp - 0x17c]
            //   56                   | push                esi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b03                 | mov                 eax, dword ptr [ebx]

        $sequence_2 = { 8b4514 8945f8 8b4510 8d4801 8a10 40 84d2 }
            // n = 7, score = 400
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8d4801               | lea                 ecx, dword ptr [eax + 1]
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   40                   | inc                 eax
            //   84d2                 | test                dl, dl

        $sequence_3 = { 03f8 3b7d10 7d16 ff7514 8b4510 2bc7 50 }
            // n = 7, score = 400
            //   03f8                 | add                 edi, eax
            //   3b7d10               | cmp                 edi, dword ptr [ebp + 0x10]
            //   7d16                 | jge                 0x18
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   2bc7                 | sub                 eax, edi
            //   50                   | push                eax

        $sequence_4 = { 395d0c 750f 33c0 40 3905???????? 0f854a010000 391d???????? }
            // n = 7, score = 400
            //   395d0c               | cmp                 dword ptr [ebp + 0xc], ebx
            //   750f                 | jne                 0x11
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   3905????????         |                     
            //   0f854a010000         | jne                 0x150
            //   391d????????         |                     

        $sequence_5 = { 8d45e4 6a08 50 ff75f8 c745e401000000 c745e80c000000 e8???????? }
            // n = 7, score = 400
            //   8d45e4               | lea                 eax, dword ptr [ebp - 0x1c]
            //   6a08                 | push                8
            //   50                   | push                eax
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   c745e80c000000       | mov                 dword ptr [ebp - 0x18], 0xc
            //   e8????????           |                     

        $sequence_6 = { 834e1410 53 68???????? 57 55 e8???????? 83c410 }
            // n = 7, score = 400
            //   834e1410             | or                  dword ptr [esi + 0x14], 0x10
            //   53                   | push                ebx
            //   68????????           |                     
            //   57                   | push                edi
            //   55                   | push                ebp
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_7 = { 8bd8 83c410 85db 7541 394604 7f2b 8b4608 }
            // n = 7, score = 400
            //   8bd8                 | mov                 ebx, eax
            //   83c410               | add                 esp, 0x10
            //   85db                 | test                ebx, ebx
            //   7541                 | jne                 0x43
            //   394604               | cmp                 dword ptr [esi + 4], eax
            //   7f2b                 | jg                  0x2d
            //   8b4608               | mov                 eax, dword ptr [esi + 8]

        $sequence_8 = { 50 ff15???????? e9???????? 8b450c 8975f8 894510 83fb05 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   ff15????????         |                     
            //   e9????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   894510               | mov                 dword ptr [ebp + 0x10], eax
            //   83fb05               | cmp                 ebx, 5

        $sequence_9 = { 56 ff7510 ff35???????? ff750c ff7508 e8???????? 8b0d???????? }
            // n = 7, score = 400
            //   56                   | push                esi
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff35????????         |                     
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8b0d????????         |                     

    condition:
        7 of them and filesize < 147456
}
[TLP:WHITE] win_tofsee_w0   (20171121 | No description)
rule win_tofsee_w0 {
    meta:
        author="akrasuski1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20171121"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:

        $decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
        $xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
        $xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}

        $string_res1 = "loader_id"
        $string_res2 = "born_date"
        $string_res3 = "work_srv"
        $string_res4 = "flags_upd"
        $string_res5 = "lid_file_upd"
        $string_res6 = "localcfg"

        $string_var0 = "%RND_NUM"
        $string_var1 = "%SYS_JR"
        $string_var2 = "%SYS_N"
        $string_var3 = "%SYS_RN"
        $string_var4 = "%RND_SPACE"
        $string_var5 = "%RND_DIGIT"
        $string_var6 = "%RND_HEX"
        $string_var7 = "%RND_hex"
        $string_var8 = "%RND_char"
        $string_var9 = "%RND_CHAR"

    condition:
        (7 of ($string_var*) and 4 of ($string_res*))
        or
        (7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
        or
        (4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
}
Download all Yara Rules