General
-
Target
8d7795e565558f472cef93c4d960ba71676d4a1fd45ddd6d7912223878a8285b
-
Size
166KB
-
Sample
240417-qv874sbd41
-
MD5
c0407a73aa3aabd7f06c0082770e70bf
-
SHA1
05e4d8cefffdf347af32d30cd61cf0fef6d0ff22
-
SHA256
8d7795e565558f472cef93c4d960ba71676d4a1fd45ddd6d7912223878a8285b
-
SHA512
323788b0b39c31c4ee63d8afd055a0c90f02521247438536edf8eb8ece63b160d2414c56b2457e038b5cf9c65a0b104fe7415cc851ace51eac90354594e2367a
-
SSDEEP
3072:Qiec6mlBLsdZFjohTmcpjDuF8/Laq5SdiG34ktnuFGs2UPIaPKVPV2GJSA:9ecXhcF4TfpQMbSd14nFGslPIZZ1b
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
204063581a5aac527fc0be421097ddc37b338cedced74ca6858f88f3d31bcc51.exe
-
Size
303KB
-
MD5
09e86355c9c595720b5a6154426c9910
-
SHA1
83b66aaab60f02c75b43ce10e5b77ba87646e2e7
-
SHA256
204063581a5aac527fc0be421097ddc37b338cedced74ca6858f88f3d31bcc51
-
SHA512
4072e6ee0e6535ea9787ca8e38061bf72a9c962f1018117beb5c1869e7c7ca74272e6f7dd7f326fe93ced3f8eee44a59ed7330691ab67b709e2601610a29693b
-
SSDEEP
6144:H8prBAyFXYy/6LDrWvzVYWMsfKaA9Vpwpp69a:Hi0y/6LDiuWMSFeCII
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2