General
-
Target
e9a144f45ff4fa0e1cb4e90bd65284c86dfcff9651ded99d62af4d045e1d700e
-
Size
128KB
-
Sample
240417-qtg28shf74
-
MD5
f573a4365fa3ef0d8a1e4886061dcbe6
-
SHA1
25494c932525a5bc9cb79a953422a116a72717a6
-
SHA256
e9a144f45ff4fa0e1cb4e90bd65284c86dfcff9651ded99d62af4d045e1d700e
-
SHA512
d51e6ec67391309eda4d2ef0656feeba2a6b1eda922af661e103c4079325860b08b9c8204c12611ad470b043685d493c42047549e0f2d80a1a0ec99c9a8fed78
-
SSDEEP
3072:Ign6A1NUyqIt1VqPGJNzFrXzBVi0k8hU6T84l3:hn6A4It1UKzZXljTbl3
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
900f15042c99288aef15c9187640b625ffec568147dd761f1508e9b61cc174d7.exe
-
Size
204KB
-
MD5
1f57a9bb99804b8193ef503404bb7387
-
SHA1
674710911110b4b45030b990dabb3c45fd095b3f
-
SHA256
900f15042c99288aef15c9187640b625ffec568147dd761f1508e9b61cc174d7
-
SHA512
d93b6d24f3fdb267a0d43195bbba3494cb2734756e5e3090cea9e65c584d66ca5eb1842bda274f484a42dac89f2fb196a2ef83e9f8e70dad4ca4b1351c3acce7
-
SSDEEP
3072:qfrB/GLaZdXUNc8iirJiM21K7uu+5Oiq08tJz5zoy887jImQpeBNMRDx/+cmH:qfrwclVORxv5z8kI1x2co
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2