Overview

overview

10

Static

static

1

3a746974da...d3.exe

windows7-x64

10

3a746974da...d3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3a746974da0c50d746aabe922ec4e7d3.exe

  • Size

    197KB

  • Sample

    230411-n2v8qadh6v

  • MD5

    3a746974da0c50d746aabe922ec4e7d3

  • SHA1

    c37e1beca1da2866961a51a75a4358c78e32997b

  • SHA256

    5c3c394e210954a18fab99b23fe51d874d5395a867ffcacede8286dacf463960

  • SHA512

    b3802da383289cbea44a55bee525ca0a230eea4341b7063bf92689db6b5601f044231db0909166035df471c35532b5e0dd67effd69acd08dced43a6432d7bda5

  • SSDEEP

    3072:5LcFddSO6u+H+dNnMRbbue0bdY2NC0fRBdFX:5cl6ujdNnMNbP0bbCOBdR

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      3a746974da0c50d746aabe922ec4e7d3.exe

    • Size

      197KB

    • MD5

      3a746974da0c50d746aabe922ec4e7d3

    • SHA1

      c37e1beca1da2866961a51a75a4358c78e32997b

    • SHA256

      5c3c394e210954a18fab99b23fe51d874d5395a867ffcacede8286dacf463960

    • SHA512

      b3802da383289cbea44a55bee525ca0a230eea4341b7063bf92689db6b5601f044231db0909166035df471c35532b5e0dd67effd69acd08dced43a6432d7bda5

    • SSDEEP

      3072:5LcFddSO6u+H+dNnMRbbue0bdY2NC0fRBdFX:5cl6ujdNnMNbP0bbCOBdR

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks