General
-
Target
0518877dfc35e38b1555f274b81db21a9607ea9735557bfd32b26430d49363bc
-
Size
133KB
-
Sample
240417-pjxjhaee79
-
MD5
9d554fade6705c14fbf8b094beb635d1
-
SHA1
b4e1b07febbd0f390da92a9deb183d6684aa7309
-
SHA256
0518877dfc35e38b1555f274b81db21a9607ea9735557bfd32b26430d49363bc
-
SHA512
ea2fccc02dfd4061eb9741c8ff6fb7a8582d77616a91e72bc359543360a9c8fe7af675547136cda1ce475f110847fe5c1d041646ba5e8d271abf28cb8df2ad69
-
SSDEEP
3072:L15YsWoMvV1LgBkJBMbVvA/GjcefKaxkTp6t:LvDSvvwkIbVaGfK6kpE
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
4c09c870971edffb8a06d14f0789d17f51522c5df43af48fe14ee926cf721354.exe
-
Size
220KB
-
MD5
06d5f0ada968c0a1640846c8023e9ee9
-
SHA1
961c48464fc79febeca7994b80369004b87bc34b
-
SHA256
4c09c870971edffb8a06d14f0789d17f51522c5df43af48fe14ee926cf721354
-
SHA512
dcb31fd9a44b6216da80482db6d3ebc0ae76bd3679b6c243cb65aa06c359b3ec7a89dca9f9cf3f3387e1c51a0ba1042382304eb19ddfacc1c22b92be18abe6f8
-
SSDEEP
6144:Vb/qTWJpjKTI1rFeB4jsVSfnLqS5ICk1hcGP:JxJtKTIpEBc6fP
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2