General
-
Target
file.exe
-
Size
299KB
-
Sample
230206-2fx23sbd9w
-
MD5
f4d9f3f1009be26ad902f44ac9082c4e
-
SHA1
9814e5e8e6ce762b7e0544f8f44d1eddd9658415
-
SHA256
15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a
-
SHA512
c09ec10ea165108655f52c1e001d37777c66ff205cd8936c79f5991e838ec29cc76d0ad8c7b7c129ef3fa41007559c3869d7483f5ae3fbb52d0ffe60a95208c6
-
SSDEEP
6144:COUmLTe6RYq4N306/C/ryGOhXDuQj96oah:CBmvjYjNda2GOhXDljD
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
file.exe
-
Size
299KB
-
MD5
f4d9f3f1009be26ad902f44ac9082c4e
-
SHA1
9814e5e8e6ce762b7e0544f8f44d1eddd9658415
-
SHA256
15188d63048c1646ce4b4070eb5ff19ed65e9e63af1c884e3b314d5536bb695a
-
SHA512
c09ec10ea165108655f52c1e001d37777c66ff205cd8936c79f5991e838ec29cc76d0ad8c7b7c129ef3fa41007559c3869d7483f5ae3fbb52d0ffe60a95208c6
-
SSDEEP
6144:COUmLTe6RYq4N306/C/ryGOhXDuQj96oah:CBmvjYjNda2GOhXDljD
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-