General
-
Target
98f17302b4e156486845c83ad422c6aa.bin
-
Size
141KB
-
Sample
230411-bssd9ahg39
-
MD5
ab0c7ed3b19e69657fe0f930c5baa504
-
SHA1
1ed27482b15f9bfcefaf9d5e2c4783c5672bda75
-
SHA256
66f93e0301309aac2b38f3b904095162cb7c62591f22e8579074ce29cee69a9d
-
SHA512
6ae1040c7d2a57a5901f8871b4718858f6799fb68afaabd49deea41b190093ded4c72fd2837d595ec8b28338d855b3ec00cbba6f2f2c29d7bf892201d7601968
-
SSDEEP
3072:ZVMymocimjcr8FB7Alg4fwY+4pBy+Y5IolNXMPAAdt2mcyjVE94Xn1gJtK6Dhm:ZeymocimjcrEeljd+4pg/58t2mcyjlXp
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
36949fde2e1880e8c86de360f71c2302c67cd453840ffd43fc1288234f3c6aa1.exe
-
Size
201KB
-
MD5
98f17302b4e156486845c83ad422c6aa
-
SHA1
83ffb44c4843b0ca414450644623897b1ffaed09
-
SHA256
36949fde2e1880e8c86de360f71c2302c67cd453840ffd43fc1288234f3c6aa1
-
SHA512
660e78e8419e16d74b2f7a527608f14a071e2d69f8b260090ce943b3d05d6113ec67e7a698bdea17ee0431a68ce9830d28398813cb520cacd8f77950d61582a5
-
SSDEEP
3072:HiGTXJoDM4OArNhCqW53oPP/zRsMPVFuZmj8peC5OC7h6Bu4e:CU6o4OGNYoPP7zVF4mj8S0
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-