General
-
Target
5f1d4a07165fea602c726cb5e8cbcb40cd069a4ea22d730500ed7bdd988d9109
-
Size
127KB
-
Sample
240417-qj83zaaf21
-
MD5
1dbb6d35778a9372aeb101840bdca0ad
-
SHA1
d09351b8d5e769c4745cf9143ab81ac8222fbc67
-
SHA256
5f1d4a07165fea602c726cb5e8cbcb40cd069a4ea22d730500ed7bdd988d9109
-
SHA512
17b0b3b931da7a122947d934bf6a8e18e628e65e4d7d12e2efac84a041e9872decd99ed42e2e7d99b8e6b1eba605fd0f2630e79dbd80396f4e7cc458c4e1eea6
-
SSDEEP
3072:mPqyv4iz3NgJzHG/tAxce6ZiJs1uVJvoQ8R/nhwOjEs:eqAbQzHEQ6Z86uVV8R5wo
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
c9ba75c3c2b17dd64211ae2d9859ced46f797f4f25d867c63c813462a857b524.exe
-
Size
203KB
-
MD5
90d047019c018e2188352f9aeee97192
-
SHA1
e0d7eee14e19ddb119760d4e15e387f285d82076
-
SHA256
c9ba75c3c2b17dd64211ae2d9859ced46f797f4f25d867c63c813462a857b524
-
SHA512
4aa2fa4f364a398cb763cbd317ea91dbac17e9e5ed44e5ebe09ba16e62cedb588d98ad807adb84127b00c757bcfef31f229aed5294a71ce682ef494da558b5a7
-
SSDEEP
3072:DkIfnM3Jq/AmlEkJiAj1K/2sv1p6Ti/ZVqJnctmLoQCCRLQ+cmk:DkIzXlEh5VqKtm8CXcL
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1