General
-
Target
2d99070b82d4dd1acbbe731e56928eba3a54d5baba538164b49d19d00487a76c
-
Size
108KB
-
Sample
240417-qtcgrabc3y
-
MD5
78c07c9ff6df8659730c8b8f28b1cd27
-
SHA1
bcacbc152631467045f8e622d2982653b3f02f8b
-
SHA256
2d99070b82d4dd1acbbe731e56928eba3a54d5baba538164b49d19d00487a76c
-
SHA512
caa10377582ebfee44c906e4d6c10146ee552bf806856b00de1fcdf3a6609a8c490fe94aef23f6c2b031b23b09cc73d49addc08d9c1d0a240f5d068405abd43c
-
SSDEEP
3072:ybi4UN/YnGbml3lih595rrMMHh2RdZMWEJPZaANPhDHy:yntkhtrrMMmTyScPRy
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
87dc843c26db143ec9d2869ee4be3e53593fa7b4331a0ceb170f6e2339caa304.exe
-
Size
209KB
-
MD5
33a5257b9ea7acdc82c83014bf5e10c4
-
SHA1
55b35da44a67a5363f56921804defaa084a2265e
-
SHA256
87dc843c26db143ec9d2869ee4be3e53593fa7b4331a0ceb170f6e2339caa304
-
SHA512
1f64da365ca4bfe6934bc4681155d3597f61fef4a9338de16675ad3e7492174a800cdf98e2eb3537b39ebcb4040b05b433768e1d999e82b18779b7d2e139393e
-
SSDEEP
3072:dSSQtGlfg7lQJi9oFseTH0b5dkOExzi6EgdpRIDEqGA:YS/fg7lETzOERpdA
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1