General
-
Target
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649
-
Size
173KB
-
Sample
221125-r8fcmaeg44
-
MD5
aa022c62898c665e601e15e6e204b86e
-
SHA1
88d9102b156445328fbfbbf2434ae4d98cf8efc9
-
SHA256
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649
-
SHA512
23535551c14fd9ec5083d829647464048395ae7eddf1f92235e668205d991a5b335fd715d80f2463102d2c0aee1f5d61e352d21d419a489d7ea0b00ab2b8332c
-
SSDEEP
3072:EjhcgKXXIyhhlGyO5DEDn3U0gbmke8rvtRt22shyLFw:ECX4yhaZAn3h8/DtRt7L
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649
-
Size
173KB
-
MD5
aa022c62898c665e601e15e6e204b86e
-
SHA1
88d9102b156445328fbfbbf2434ae4d98cf8efc9
-
SHA256
97e8b8205a9be4ddbed90d7c354a58aab170c15e458564baee9f50e17ca79649
-
SHA512
23535551c14fd9ec5083d829647464048395ae7eddf1f92235e668205d991a5b335fd715d80f2463102d2c0aee1f5d61e352d21d419a489d7ea0b00ab2b8332c
-
SSDEEP
3072:EjhcgKXXIyhhlGyO5DEDn3U0gbmke8rvtRt22shyLFw:ECX4yhaZAn3h8/DtRt7L
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-