General
-
Target
4e39579f1251ae570e145e352e7393f7.bin
-
Size
166KB
-
Sample
230508-blsrfaac7s
-
MD5
0439f1244f71dce10ac6a9aa0a7c5267
-
SHA1
682b0dfe38feab7416e4d0f70e086530f307f9f5
-
SHA256
d080665a2e670ebca96d72f5766911321583b00cb822dabc4d7a5da13e5c04e4
-
SHA512
81141c6b997269c4f105ac51d89f411cb134b582c8b74b896dfb8121a31e03f76ba8a14cffc7ad9fb3655c7f6a39efdc2557735453dfb5d3580b8feb7fb5d885
-
SSDEEP
3072:ORB7ZA3hRQMSE/RW6T0QwwR37al3LV7/k61NzF1tvCmAFlUsJsECbptkMfDBh47c:EB9SRB7pX0Qww57c3LV7/X1NJCTljsPB
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
53c6ebd75518ed05b22ab762b476f48313b700283358dccb7d55b02f29cfe462.exe
-
Size
292KB
-
MD5
4e39579f1251ae570e145e352e7393f7
-
SHA1
07497b310187f77e2c18364c7a0e31068be822d1
-
SHA256
53c6ebd75518ed05b22ab762b476f48313b700283358dccb7d55b02f29cfe462
-
SHA512
29dd728463e77e3988a074a97b36ebba3f0876e684ea96746b3ec0aeaf78e4ee25182b34a51900b6400fd8a22ea9a911bb15ae195bd04419f8303b9412920009
-
SSDEEP
3072:Xk6e+HiNFjbrieXWP72/BRczZpgAhtBE3k2Bxz+4a2GMW/ft/Dr05xK:7zkjbrFi78BkpgKC3z2YK
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-