Overview

overview

10

Static

static

3

d44236eeb9...79.exe

windows7-x64

10

d44236eeb9...79.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    adc1b56f7597be5415a70733114185919a85c8b2d3f133a861702ac7218d4ae9

  • Size

    160KB

  • Sample

    240417-qtbv8ahf65

  • MD5

    bc25cb9accf644dc9d5205b4fb047cfd

  • SHA1

    ef7225dc2ffc5fd24cac9e3ccd777adaba0dea42

  • SHA256

    adc1b56f7597be5415a70733114185919a85c8b2d3f133a861702ac7218d4ae9

  • SHA512

    b2cbcc61508b10039843b2d0c0a2a24af1460d6c393adb42a0724fcef34ad1887772e223135bea06670be455f2108f34aed3c914333d0568389aaf944270c5d8

  • SSDEEP

    3072:72mm5zJMARxxGXliw9208PZ12kc5BevsdPezWzExIYJb7:6m0tMAPGXlH2DPvGbdToxIYJb7

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      d44236eeb92cc872600b3d0ae889c11912c1bb08c9a0f9c1657c9e2d58466879.exe

    • Size

      291KB

    • MD5

      3fff6b68ec9d18f01572e95e28bcda01

    • SHA1

      8e882c3a22ced47fb0d1ef77e5b4fa929c1fb2c1

    • SHA256

      d44236eeb92cc872600b3d0ae889c11912c1bb08c9a0f9c1657c9e2d58466879

    • SHA512

      2a8ad523c74dc5c52ec6f817779254bb8b89efbcede5d1e4cdce256e040ac98e9e9b477f25a41d26d837d43facaf20ee651607e3113f3b58ad32789e031cea73

    • SSDEEP

      3072:Eb8yXVzi6JLd9LBOr59azRrCLneVsXJnEmtGHJ/JVeECaCb7HBr4u0hlb6C:lMiULdVsV9azRkRX9FupfevbTBdop6

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks