General
-
Target
0ba4b5e23a677a3a247b8626e4a8a4252202870250886cbcb60612f54b834ff4
-
Size
146KB
-
Sample
240417-qknteshb26
-
MD5
6c33cc7fe86854c40465d0ce81c3876d
-
SHA1
a1b9320ef4ee6f3a6f6913a49c64486cab0e50e7
-
SHA256
0ba4b5e23a677a3a247b8626e4a8a4252202870250886cbcb60612f54b834ff4
-
SHA512
b9efd2fbd9a380362ac6c03a3f04571e68d20ed2685ce3c4f668e8a0226d0a95d17059770d4f4de7e43bfee6461b5a94f7092c130e7cf466effecfe3d6355903
-
SSDEEP
3072:kRyjF1LQnvxdjvRzIeW3wvB08y6EQ2wnUIzOWnY0rfATZLYbiP91lP:ZP+vxdvR0eW3sHRYoATZYbiPXlP
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
c5fe1e625c87aa811d76f20079f286f5b9f3b5c971d5ba86350c37327c509981.exe
-
Size
233KB
-
MD5
9f72ad79bba9d398a150be4b676c624b
-
SHA1
f06218c9fb624ba6a8040846c1a888e6dacc6fb6
-
SHA256
c5fe1e625c87aa811d76f20079f286f5b9f3b5c971d5ba86350c37327c509981
-
SHA512
bd7a919b1773115756c1b795fc3111132f7acd8290e2d82c25e6b6d03510bc61f7736c3b1fee2794bd3492e103121018d83565d2dea79287481b99f31bdbb393
-
SSDEEP
3072:1oCTZcw8fGJiR21K9Np5Y4xL1JTp0C2bhUQiGkRo8DegwT:1ob/vFF2bhd8l
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2