General
-
Target
06b9f586d1cb01906c18ee290e5f3247cef2380e51628f31e9eff9078b8e2201
-
Size
160KB
-
Sample
240417-pjct4aee53
-
MD5
1affe56af61fb7e56cd8450ac3622387
-
SHA1
35a0d4637092c94a4ec43d80961f9b363f92cd8e
-
SHA256
06b9f586d1cb01906c18ee290e5f3247cef2380e51628f31e9eff9078b8e2201
-
SHA512
4d4148e0d5ebcd32dd251d2b1f3861134a52996a5f6921a41ee451465fb48edb228a36b7b5b26cbdbff45d5d975950a10fdc8e544aac8f0915f6136e4608e353
-
SSDEEP
3072:IoghE1FTxJZC61yjNGV1cgo455eARX+8JRm0ZSrc4RI0h:niE1zn16I64rTXDJUyGI0h
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe
-
Size
256KB
-
MD5
11d6fdab8ce0a4462699d12d8cc6e181
-
SHA1
f79dd773636fb0c46346f08e9a36bea666e34350
-
SHA256
aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5
-
SHA512
dd582a962bc9d3c50782a528a1c635d065530b96f7e1325d0c254f299b10b29218a8626b15f18b11aaf234b7393cea39d8025fa8d023fa9e79bdbdce2d6478a6
-
SSDEEP
3072:DlrJL/wyRvNQG+FiOf5hqBNDo0Rpv01b8FbuW5hL4WeNH601:D3L/wUkFiOf5Ybon1gL4WeNa
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2