General
-
Target
5ca926323ee94836ddb1b595c5361e9f731ddf584921d0689df0e1c573104585
-
Size
166KB
-
Sample
240417-qhkzraae3y
-
MD5
cc22b638c0c86a75a188d527f106b7d7
-
SHA1
74783181a98087dd93e5c2dfa21505267e328908
-
SHA256
5ca926323ee94836ddb1b595c5361e9f731ddf584921d0689df0e1c573104585
-
SHA512
cf88a06900bf95060893f2a647f5df1f1d3f0adf2fd2b2f42869f8aefe1a6c2cceb145f22614ba4df08adb82cfed5cf1f0f98689913415e90c183f4ad6a866b8
-
SSDEEP
3072:crKrp7mvwQ6Vjq8f8s927tyN66aYdpRaaoIabEaTw1IKE6HeM6lkR8xfNl1:2CKzsq8fn92I66LUapIKJ+9A8v7
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
74d8ea75eaa0b08203bd607fc7b03b96ea3c45f5fda7d883d8587db4b85c1bed.exe
-
Size
307KB
-
MD5
3d4b04ef5fa77beaeef043f5a0fe5912
-
SHA1
ad07caff0de5987592a648fbb9d4f240c088ac2a
-
SHA256
74d8ea75eaa0b08203bd607fc7b03b96ea3c45f5fda7d883d8587db4b85c1bed
-
SHA512
f6f3be5f5e78d4a97a96b8f1ed9d816000d063e3ec16e65ab3617cd86c28b68e0e4a5d5a835c36df731482541fe494b7d625d989adc7f176686d6178441ae959
-
SSDEEP
3072:FIc+GjPykq8OdTpVbv+XeC6jRxK2s2mUn5wMT2UXdZ315U:mw7yFB1v7jjK3hMTFNhM
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2