General
-
Target
file
-
Size
213KB
-
Sample
230417-pqgfvseb86
-
MD5
dac1f98021e82370657ca79d43940e9e
-
SHA1
1d69c84299549560c1a46d085256a27d6a074621
-
SHA256
209e78147c676b2562945d15e0637303f819bc8a2f0e34f5cfa8ba16137e85a5
-
SHA512
56f829653430fffee2e9799902fd38bb726c28bdda5accd43e5c3b333ef2c909d7b9c865e8ba3041609bfc415b9283a9cf4d3888dd81b1091fae7b7cc53b5432
-
SSDEEP
3072:HnCD27R5eVPDZg4lrEh+DsuNk0+LpzCJMZZmEo8ksJ5tMxqyI7iMPre:HRjeVPu4lrEh+Dsik0+RTDw9u/7iMT
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
file
-
Size
213KB
-
MD5
dac1f98021e82370657ca79d43940e9e
-
SHA1
1d69c84299549560c1a46d085256a27d6a074621
-
SHA256
209e78147c676b2562945d15e0637303f819bc8a2f0e34f5cfa8ba16137e85a5
-
SHA512
56f829653430fffee2e9799902fd38bb726c28bdda5accd43e5c3b333ef2c909d7b9c865e8ba3041609bfc415b9283a9cf4d3888dd81b1091fae7b7cc53b5432
-
SSDEEP
3072:HnCD27R5eVPDZg4lrEh+DsuNk0+LpzCJMZZmEo8ksJ5tMxqyI7iMPre:HRjeVPu4lrEh+Dsik0+RTDw9u/7iMT
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-