General
-
Target
d41959091ac25edd70b048368c7095644fb252d34ff088c49f4d56c8d2f5ae35
-
Size
145KB
-
Sample
240417-qk14raaf5x
-
MD5
35588b5c2b33c212d0dec527e6a17c6a
-
SHA1
d73995632501d922dc0d0b2f50a8f5889dfa8398
-
SHA256
d41959091ac25edd70b048368c7095644fb252d34ff088c49f4d56c8d2f5ae35
-
SHA512
24622f1c91f2169278a5c090c7078152e203f27edcf4cb81fa9730eff80f0a4b3cf92c83b1fd6fc392ae5481776036c97856180c92822fac97c390c041e7d4b0
-
SSDEEP
3072:gr62ho2jmnp/p9TVWQ9dO123rvr7BBJ/SBvyYW:b2o2jotfTVWQXOI3rr7BgvyYW
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
04ec244112b44e9592f9c5e45ab50e67e402f0704d8121678afe46117de90482.exe
-
Size
233KB
-
MD5
f81a2c93c44bfec11cdd55eb53dde5df
-
SHA1
45cb3d7066113e86fff081e309265a797af0ef51
-
SHA256
04ec244112b44e9592f9c5e45ab50e67e402f0704d8121678afe46117de90482
-
SHA512
c9fc2a6239235aa0bf24e700665666c8500000bcc76dc8e26922f8cfc0f961949bf7fa04bf9877ea3254b9a5879752d1b3f75d945318c246770b507bc0b0199e
-
SSDEEP
3072:LefNGJ/ceeYkb2BNog9oADOF4t0wC0NnpXIpKjVEqLDOO7n+MnIitmjXO9ZJwVQk:Le1GM+NobFm0wC0NpYpuVEqSFOTF
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2