Overview

overview

10

Static

static

3

c5fe1e625c...81.exe

windows7-x64

10

c5fe1e625c...81.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0ba4b5e23a677a3a247b8626e4a8a4252202870250886cbcb60612f54b834ff4

  • Size

    146KB

  • Sample

    240417-qknteshb26

  • MD5

    6c33cc7fe86854c40465d0ce81c3876d

  • SHA1

    a1b9320ef4ee6f3a6f6913a49c64486cab0e50e7

  • SHA256

    0ba4b5e23a677a3a247b8626e4a8a4252202870250886cbcb60612f54b834ff4

  • SHA512

    b9efd2fbd9a380362ac6c03a3f04571e68d20ed2685ce3c4f668e8a0226d0a95d17059770d4f4de7e43bfee6461b5a94f7092c130e7cf466effecfe3d6355903

  • SSDEEP

    3072:kRyjF1LQnvxdjvRzIeW3wvB08y6EQ2wnUIzOWnY0rfATZLYbiP91lP:ZP+vxdvR0eW3sHRYoATZYbiPXlP

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      c5fe1e625c87aa811d76f20079f286f5b9f3b5c971d5ba86350c37327c509981.exe

    • Size

      233KB

    • MD5

      9f72ad79bba9d398a150be4b676c624b

    • SHA1

      f06218c9fb624ba6a8040846c1a888e6dacc6fb6

    • SHA256

      c5fe1e625c87aa811d76f20079f286f5b9f3b5c971d5ba86350c37327c509981

    • SHA512

      bd7a919b1773115756c1b795fc3111132f7acd8290e2d82c25e6b6d03510bc61f7736c3b1fee2794bd3492e103121018d83565d2dea79287481b99f31bdbb393

    • SSDEEP

      3072:1oCTZcw8fGJiR21K9Np5Y4xL1JTp0C2bhUQiGkRo8DegwT:1ob/vFF2bhd8l

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks