General
-
Target
0ad510cda940ae8424cb2d6b11e708f53126da5383e6013415fa16013d335232
-
Size
147KB
-
Sample
240417-qs3bsahf54
-
MD5
b0a09657782664140acee4e7cad1e1bd
-
SHA1
e7f2c50a33b688fa84eec1db6834fbf7ed046a84
-
SHA256
0ad510cda940ae8424cb2d6b11e708f53126da5383e6013415fa16013d335232
-
SHA512
44dde8186a72ea89c4c9698232281f2c08dec8f0c60512284d1f1f64791aef59763da55121df136feec037e57c7d43afe82c43fe6f199572ce26ad2893f167b7
-
SSDEEP
3072:N8n4lIDdSiHW1bGUUOjyRJ5qw/PFS9GHHYF:NgWIDdSi6GayRvJlS96HE
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
ed8e31c2fccca230c75e8246d3e31ee548af0139a1e8dfb4038fa256d362c3d3.exe
-
Size
244KB
-
MD5
cd2eb2cfc4675f413db94ff743d195d7
-
SHA1
bd7b6b5a94387779d88bbfe1e32fa13666be6e9b
-
SHA256
ed8e31c2fccca230c75e8246d3e31ee548af0139a1e8dfb4038fa256d362c3d3
-
SHA512
5c8a1460d71f6db9fede021d2b8521877f85da7ec1b101815577a19a09dfe374526c74eb5f62c38cf56a10d54c4dd2362de07388c76170a6fa7618be9ef8f782
-
SSDEEP
3072:C7lSzmWVD0wRzLKqBKWBgOlaR+f+TmAC+3IxY1b+wiOMOl3eAwXsUvfXVkwIwC8Z:+4x0YLFoegOlaR+WCFi1bviKeXfmh8
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2