General
-
Target
adc1b56f7597be5415a70733114185919a85c8b2d3f133a861702ac7218d4ae9
-
Size
160KB
-
Sample
240417-qtbv8ahf65
-
MD5
bc25cb9accf644dc9d5205b4fb047cfd
-
SHA1
ef7225dc2ffc5fd24cac9e3ccd777adaba0dea42
-
SHA256
adc1b56f7597be5415a70733114185919a85c8b2d3f133a861702ac7218d4ae9
-
SHA512
b2cbcc61508b10039843b2d0c0a2a24af1460d6c393adb42a0724fcef34ad1887772e223135bea06670be455f2108f34aed3c914333d0568389aaf944270c5d8
-
SSDEEP
3072:72mm5zJMARxxGXliw9208PZ12kc5BevsdPezWzExIYJb7:6m0tMAPGXlH2DPvGbdToxIYJb7
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
d44236eeb92cc872600b3d0ae889c11912c1bb08c9a0f9c1657c9e2d58466879.exe
-
Size
291KB
-
MD5
3fff6b68ec9d18f01572e95e28bcda01
-
SHA1
8e882c3a22ced47fb0d1ef77e5b4fa929c1fb2c1
-
SHA256
d44236eeb92cc872600b3d0ae889c11912c1bb08c9a0f9c1657c9e2d58466879
-
SHA512
2a8ad523c74dc5c52ec6f817779254bb8b89efbcede5d1e4cdce256e040ac98e9e9b477f25a41d26d837d43facaf20ee651607e3113f3b58ad32789e031cea73
-
SSDEEP
3072:Eb8yXVzi6JLd9LBOr59azRrCLneVsXJnEmtGHJ/JVeECaCb7HBr4u0hlb6C:lMiULdVsV9azRkRX9FupfevbTBdop6
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2