Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    file.exe

  • Size

    263KB

  • Sample

    231012-pcaq6ahe4t

  • MD5

    4ebce96bc30f2e908aeceb841493059f

  • SHA1

    843e4e7b409d795ae93018a84cd223c844f7fa61

  • SHA256

    917bd9659af008782d039354a7e4404d075d444ba7c54f50bcb3c7cbe79c63f4

  • SHA512

    2b68299fbc20a01b51a9770aef637f15e9ea4420a0f2acbfdd377c241f0df3a7dd0cd2e2a5fd5e1067763ea606d47ce3a7db8f67e136b4e37598d68ce107f127

  • SSDEEP

    6144:6hbnS4HJdQtvKQ0u40sGlJgNkipt6pas:UbS4pdQtvKt5XEKKiT

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      263KB

    • MD5

      4ebce96bc30f2e908aeceb841493059f

    • SHA1

      843e4e7b409d795ae93018a84cd223c844f7fa61

    • SHA256

      917bd9659af008782d039354a7e4404d075d444ba7c54f50bcb3c7cbe79c63f4

    • SHA512

      2b68299fbc20a01b51a9770aef637f15e9ea4420a0f2acbfdd377c241f0df3a7dd0cd2e2a5fd5e1067763ea606d47ce3a7db8f67e136b4e37598d68ce107f127

    • SSDEEP

      6144:6hbnS4HJdQtvKQ0u40sGlJgNkipt6pas:UbS4pdQtvKt5XEKKiT

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks