SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tofsee (Back to overview)

Tofsee

aka: Gheg
URLhaus    

There is no description at this point.

References
2017-10-19CERT.PLJarosław Jedynak
@online{jedynak:20171019:deeper:f2e50ae, author = {Jarosław Jedynak}, title = {{A deeper look at Tofsee modules}}, date = {2017-10-19}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/}, language = {English}, urldate = {2020-01-06} } A deeper look at Tofsee modules
Tofsee
2017-10-06CERT.PLMaciej Kotowicz, Jarosław Jedynak
@techreport{kotowicz:20171006:peering:668c82e, author = {Maciej Kotowicz and Jarosław Jedynak}, title = {{Peering into spam botnets}}, date = {2017-10-06}, institution = {CERT.PL}, url = {https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf}, language = {English}, urldate = {2020-04-06} } Peering into spam botnets
Emotet Kelihos Necurs SendSafe Tofsee
2017-03-24Zerophage
@online{zerophage:20170324:terror:b7e48b2, author = {Zerophage}, title = {{Terror EK via Malvertising delivers Tofsee Spambot}}, date = {2017-03-24}, url = {https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/}, language = {English}, urldate = {2020-01-05} } Terror EK via Malvertising delivers Tofsee Spambot
Tofsee
2016-09-16CERT.PLAdam Krasuski
@online{krasuski:20160916:tofsee:79a1d35, author = {Adam Krasuski}, title = {{Tofsee – modular spambot}}, date = {2016-09-16}, organization = {CERT.PL}, url = {https://www.cert.pl/en/news/single/tofsee-en/}, language = {English}, urldate = {2020-01-13} } Tofsee – modular spambot
Tofsee
Yara Rules
[TLP:WHITE] win_tofsee_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_tofsee_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 50 8d8580fbffff 50 e8???????? 83c420 85c0 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   50                   | push                eax
            //   8d8580fbffff         | lea                 eax, [ebp - 0x480]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   85c0                 | test                eax, eax

        $sequence_1 = { 8bec 81ecc4000000 56 68???????? ff7508 e8???????? 8bf0 }
            // n = 7, score = 400
            //   8bec                 | mov                 ebp, esp
            //   81ecc4000000         | sub                 esp, 0xc4
            //   56                   | push                esi
            //   68????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_2 = { e8???????? 83c40c 85c0 0f858e010000 6a0c 5e }
            // n = 6, score = 400
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f858e010000         | jne                 0x194
            //   6a0c                 | push                0xc
            //   5e                   | pop                 esi

        $sequence_3 = { 8d45e0 50 66c745e0b607 66c745e20100 668975e4 66c745e60100 668975e8 }
            // n = 7, score = 400
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   66c745e0b607         | mov                 word ptr [ebp - 0x20], 0x7b6
            //   66c745e20100         | mov                 word ptr [ebp - 0x1e], 1
            //   668975e4             | mov                 word ptr [ebp - 0x1c], si
            //   66c745e60100         | mov                 word ptr [ebp - 0x1a], 1
            //   668975e8             | mov                 word ptr [ebp - 0x18], si

        $sequence_4 = { 8b36 393e 75e4 33c0 5f 5e 5d }
            // n = 7, score = 400
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   393e                 | cmp                 dword ptr [esi], edi
            //   75e4                 | jne                 0xffffffe6
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_5 = { 8d45e4 6a08 50 ff75f8 c745e401000000 c745e80c000000 e8???????? }
            // n = 7, score = 400
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   6a08                 | push                8
            //   50                   | push                eax
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   c745e401000000       | mov                 dword ptr [ebp - 0x1c], 1
            //   c745e80c000000       | mov                 dword ptr [ebp - 0x18], 0xc
            //   e8????????           |                     

        $sequence_6 = { e9???????? ff35???????? e8???????? a1???????? 3930 59 0f85b6f7ffff }
            // n = 7, score = 400
            //   e9????????           |                     
            //   ff35????????         |                     
            //   e8????????           |                     
            //   a1????????           |                     
            //   3930                 | cmp                 dword ptr [eax], esi
            //   59                   | pop                 ecx
            //   0f85b6f7ffff         | jne                 0xfffff7bc

        $sequence_7 = { 8955f0 8945f4 8b06 034508 6a7c 50 }
            // n = 6, score = 400
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   034508               | add                 eax, dword ptr [ebp + 8]
            //   6a7c                 | push                0x7c
            //   50                   | push                eax

        $sequence_8 = { 894728 89572c c70424???????? e8???????? 8b4704 ff4004 f6471801 }
            // n = 7, score = 400
            //   894728               | mov                 dword ptr [edi + 0x28], eax
            //   89572c               | mov                 dword ptr [edi + 0x2c], edx
            //   c70424????????       |                     
            //   e8????????           |                     
            //   8b4704               | mov                 eax, dword ptr [edi + 4]
            //   ff4004               | inc                 dword ptr [eax + 4]
            //   f6471801             | test                byte ptr [edi + 0x18], 1

        $sequence_9 = { 7904 83660c00 ffd3 894614 ff461c 8b461c }
            // n = 6, score = 400
            //   7904                 | jns                 6
            //   83660c00             | and                 dword ptr [esi + 0xc], 0
            //   ffd3                 | call                ebx
            //   894614               | mov                 dword ptr [esi + 0x14], eax
            //   ff461c               | inc                 dword ptr [esi + 0x1c]
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]

    condition:
        7 of them and filesize < 147456
}
[TLP:WHITE] win_tofsee_w0   (20171121 | No description)
rule win_tofsee_w0 {
    meta:
        author="akrasuski1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee"
        malpedia_version = "20171121"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:

        $decryptStr = {32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14}
        $xorGreet = {C1 EB 03 C0 E1 05 0A D9 32 DA 34 C6 88 1E}
        $xorCrypt = {F7 FB 8A 44 0A 04 30 06 FF 41 0C}

        $string_res1 = "loader_id"
        $string_res2 = "born_date"
        $string_res3 = "work_srv"
        $string_res4 = "flags_upd"
        $string_res5 = "lid_file_upd"
        $string_res6 = "localcfg"

        $string_var0 = "%RND_NUM"
        $string_var1 = "%SYS_JR"
        $string_var2 = "%SYS_N"
        $string_var3 = "%SYS_RN"
        $string_var4 = "%RND_SPACE"
        $string_var5 = "%RND_DIGIT"
        $string_var6 = "%RND_HEX"
        $string_var7 = "%RND_hex"
        $string_var8 = "%RND_char"
        $string_var9 = "%RND_CHAR"

    condition:
        (7 of ($string_var*) and 4 of ($string_res*))
        or
        (7 of ($string_var*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
        or
        (4 of ($string_res*) and 2 of ($decryptStr, $xorGreet, $xorCrypt))
}
Download all Yara Rules