General
-
Target
78afae32372bc649e801d37ade3f498f39b86cf5e8adc7917a46d716137e3533
-
Size
145KB
-
Sample
240417-qk4vmshb49
-
MD5
d38890b7e3650eb8b43ddb28f0315978
-
SHA1
a727a3871f49a0bd0b94482a52efcb092c323cc8
-
SHA256
78afae32372bc649e801d37ade3f498f39b86cf5e8adc7917a46d716137e3533
-
SHA512
be333f80e80dfb6372a5d1c70e6d3b760c3a303416743d2800e09ead50c202f5307409cc9ea5350b2f82d1ce43216af1cb98264e694f1eca76ea503085a010d7
-
SSDEEP
3072:xia7GWczxa+/Xo9enZA5V3d4AMXzZz0P8wnuMo6DtT:4a7GTs+/XweZA53CjZg1U6p
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
9dc0085f64473ca82753f59552bae76c64b5165e72899d727cd18f4d1afbd9d1.exe
-
Size
233KB
-
MD5
e1fd44ce08b0383dc59e732bb0b1f2d9
-
SHA1
70dc0dba88f5b4d02f554627ec8fce32b9237fcc
-
SHA256
9dc0085f64473ca82753f59552bae76c64b5165e72899d727cd18f4d1afbd9d1
-
SHA512
7db8ae6bbead6c8603fda377b70cf05f793a795ca29cef50a97c6df148c4ecf5677880177016d7e65e51b204bbeed22b07e31f9d021305ea7a350b7130121d0d
-
SSDEEP
3072:TcYelBc/ctFykDqPogVwsvhQNW3k1QxCJ18YcRfIBvd4rm5qe4EY3jXO9ZJwVQk:TcdBJ+PojEk1QEJq1FIBv74E2OTF
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1