General
-
Target
064a7850f92d518ccd3e2d57d1ab7922d851f9557cdce8218787ca9b794b0dfe
-
Size
128KB
-
Sample
240417-pjjbwaee59
-
MD5
01ec81be8e14e87a9d34d5d377f51773
-
SHA1
e367a0e0f8471897cf34f9dd417c58b811fb5867
-
SHA256
064a7850f92d518ccd3e2d57d1ab7922d851f9557cdce8218787ca9b794b0dfe
-
SHA512
c758524d1090d94ff6ac028a6118a937b04314d5a750ea3f442efe2bf3e7b42a3bafdbbd953e8fddc7623b4138d7250ee498ce80058b017fc79fd97c3735b781
-
SSDEEP
3072:xAJ1HfZznYrMxqLVceMl+AvEYJ6ytAFtMa/CmG5v1TLDyGI1x:xC/nKHLOeMl+AcupAFtMa/C15TE
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
900f15042c99288aef15c9187640b625ffec568147dd761f1508e9b61cc174d7.exe
-
Size
204KB
-
MD5
1f57a9bb99804b8193ef503404bb7387
-
SHA1
674710911110b4b45030b990dabb3c45fd095b3f
-
SHA256
900f15042c99288aef15c9187640b625ffec568147dd761f1508e9b61cc174d7
-
SHA512
d93b6d24f3fdb267a0d43195bbba3494cb2734756e5e3090cea9e65c584d66ca5eb1842bda274f484a42dac89f2fb196a2ef83e9f8e70dad4ca4b1351c3acce7
-
SSDEEP
3072:qfrB/GLaZdXUNc8iirJiM21K7uu+5Oiq08tJz5zoy887jImQpeBNMRDx/+cmH:qfrwclVORxv5z8kI1x2co
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2