General
-
Target
ef4eda0f7e7f357ff3018c8a331fbf101076677e34663129e55a791f4287e757
-
Size
165KB
-
Sample
240417-qt8vyshg32
-
MD5
d45a6a1871e85409054fc3bc2396c548
-
SHA1
dfc112c879acac6eaa8c6844b613494754251069
-
SHA256
ef4eda0f7e7f357ff3018c8a331fbf101076677e34663129e55a791f4287e757
-
SHA512
abba86be5bde354aaafded28fb253db354b389bab343a206ac707a772364354bd48d6fb2274f73a74edc65723fa535b70f56a864e0e60d72baa35774a779807b
-
SSDEEP
3072:IBEk0NEvwOoKmO8e4b+kLJvLcm2/kYRcmjZgsEn7xrEc9xOwkJu46:oTA0MhLcZMYJjZgsEn7FxOR6
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
3cec06bcddcd94226a7436028917384f92a6921390cc1ee58548c3a51c448e5f.exe
-
Size
306KB
-
MD5
f4592b71d5dadabf66ee3700e84edf8b
-
SHA1
b32b3ecf9a3e82a0123998ce71857e53dac64150
-
SHA256
3cec06bcddcd94226a7436028917384f92a6921390cc1ee58548c3a51c448e5f
-
SHA512
5e3ebf43df2a9f35faf1368a2dab44777e560dc893bea3b75dc6f9fe1d2ccda9273dbfdf83eeed593f0c4ef9cb461210f85850ee84fdf89d10da186159150038
-
SSDEEP
3072:nY+QUDdSe9eBtw8snC2H2/q2v43YAy4iD1nJ75VyUZ7ixF7Mu63jXdo:b/KMC2H2yogyFP9jX
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2