General
-
Target
9a6f39342fc7130c1ee3f87b3652bed7fcb693f5a290aaf8b8aa9144e14e6808
-
Size
145KB
-
Sample
240417-qtypzshf98
-
MD5
555e09c41385dd9fab8505268def2bca
-
SHA1
0f86aef4ddbc655ac6cb1f72bc7303119bdd1e3e
-
SHA256
9a6f39342fc7130c1ee3f87b3652bed7fcb693f5a290aaf8b8aa9144e14e6808
-
SHA512
db5fa0162d84300d43f500d5609044127b16d7eab456fa51f90b761783baf4ed9b45ce5e38ae7807e8fe61aa756871d5498284888e51c4ffcca225f582a58c13
-
SSDEEP
3072:jJ6xHv6VVMLFeYa8+TXKfWiUZJGbDWN0/EDUD/OTKURz:jJ6tv6VeLFda8+Tb2bSw/oKa
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
648bec40870a8c3abce34fcf5924fcdb02601d7b5561aca406808649ff164a6d.exe
-
Size
228KB
-
MD5
aaa0a9ec9406d0974aad08aa5a36927a
-
SHA1
dfef2eaa4d1b0db6711e0fd83b368eedc7aee3ff
-
SHA256
648bec40870a8c3abce34fcf5924fcdb02601d7b5561aca406808649ff164a6d
-
SHA512
e649a25fc6c77a3efbe2c258f28b853bbe65d362f375f5e64841f51b9ee8f6d1bb3fe3f3d7c3d95c9b7afd48e66ec318b5eb6a07a37f13c1cf3465855639eb08
-
SSDEEP
3072:R4FLaaaoeUUG4JiE/Tt+/uFQEgytIFoNtaX9jFaTJJrnOMO2ktcqDXGI2RQ9lV7o:SFLav/Gs/XgyCFo/aX9OhnX8JV0
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2