Overview

overview

10

Static

static

3

480bb7c62d...24.exe

windows7-x64

10

480bb7c62d...24.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4c9e7ca1b881dd37ba726f6ec004e05d0b2211c7f0e8dd70cb762065266023f6

  • Size

    130KB

  • Sample

    240417-qtayxsbc3w

  • MD5

    e6be1a308e1f40f0de51e525fb822dcd

  • SHA1

    36b9016623ead20a35dfeeb717483c85c25b3790

  • SHA256

    4c9e7ca1b881dd37ba726f6ec004e05d0b2211c7f0e8dd70cb762065266023f6

  • SHA512

    2f989bc1f93cab48323640b3d2e85c01b4a64840ea3d3797fd2233bf0e82371a5974696ab2309ba7cb81bb62524b3c74ba6a5c81277bad621181eea5978b7b3d

  • SSDEEP

    3072:HFAIlWc/iOvs0sJpBq7YWyM28laHQG+TazmhU:XlWyiOunqtX28G+eKK

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      480bb7c62d6d596c5c800503158a552287674a749640cd93d17fd731566a9824.exe

    • Size

      264KB

    • MD5

      50d80adb391a32562abd1bbb1ca44d54

    • SHA1

      6b2f264f7929a5315a783e310a521677be483e9d

    • SHA256

      480bb7c62d6d596c5c800503158a552287674a749640cd93d17fd731566a9824

    • SHA512

      05cd8ee3277fcc0250b3abaa2c99ba5e923028855539b3b4423db835d644112aa39ae5bab832d80b9781d77a1e325685544a8a36c40ac1541c3fecf07693d168

    • SSDEEP

      3072:GBp0+j2liTED5ID9bJiJn1K2Dxodv32z+1EeijhVP/EmvI9G5qpRvm:GBp0OD/2zGQVP/em

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks