General
-
Target
file.exe
-
Size
146KB
-
Sample
221126-krldzsad2v
-
MD5
1fd5ff320a44cfc6d33a505c24efa590
-
SHA1
6db5b5667f7861e163344f95ec9f0f3616d14130
-
SHA256
662a375950d1b16ceb51ea7d50fbaa9121f087d7d148d3be65705a2c4b8b3d08
-
SHA512
83177f1f72249deaca68249ee5b2f4b755dd0481fb7b24c55f3f28183d5b54edf40f4e330bb00156210eea1f6d73414474df4f3b5b8b69cb14150d058983c29d
-
SSDEEP
3072:/EBurucqyxil650IRnGOamWe3BYL7aoBUSl3X:cVcqd6Bg7aj+n
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
file.exe
-
Size
146KB
-
MD5
1fd5ff320a44cfc6d33a505c24efa590
-
SHA1
6db5b5667f7861e163344f95ec9f0f3616d14130
-
SHA256
662a375950d1b16ceb51ea7d50fbaa9121f087d7d148d3be65705a2c4b8b3d08
-
SHA512
83177f1f72249deaca68249ee5b2f4b755dd0481fb7b24c55f3f28183d5b54edf40f4e330bb00156210eea1f6d73414474df4f3b5b8b69cb14150d058983c29d
-
SSDEEP
3072:/EBurucqyxil650IRnGOamWe3BYL7aoBUSl3X:cVcqd6Bg7aj+n
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-