General

  • Target

    7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.zip

  • Size

    164KB

  • Sample

    231119-1bq8ascf3v

  • MD5

    a21ae8cfb1b53fb43b53ef7c470e7973

  • SHA1

    b66e7af6b1decb7291b26ce2f2d20d748e5476c3

  • SHA256

    4ee930a612d132bce0a8af62c52b8e6d3e124bf344cab0d7db489b0455f592f0

  • SHA512

    184de947f3f7a2b71e8391187e116588cf1fefaa5fcd8156bb86c43f7469d24cb30466480bb53707f2f386d864615f5d03e84e1b16bc9ceafff0cd5947c5bc7f

  • SSDEEP

    3072:LbWZod7+k2XiiK5KxrvwGmnqFN10uuZQTNyzWgN3DtTJgvyJ6nI1qjWBhSDctJH:eOd7yySBwLnqP10liTUzO46nHQIcj

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe

    • Size

      254KB

    • MD5

      02ac11d7691ed7141949fc5c03d5aae8

    • SHA1

      b122e23b4dfb29d4efedbbe7a72c75d696f8a7ac

    • SHA256

      7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee

    • SHA512

      c437f0cec3cbe5a62a650cafd0814016864c083a2df5a65000d0411b8249daec0744b7c948039a97848135a263ba183a9cb00876fbc3d22ee1e8322dfda0e55e

    • SSDEEP

      3072:M9xGAh803FPqB1HzqotaoQpxVKPk4hjw6EX7eUkpvTRSdnbr4rO/p/4CY/:w/8iYlAxVKMuELrdnbr4yG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks