General
-
Target
31694d3e383f1c51e4589ec887a743ccae80ab1ec0c629a9267e8d1c892179d6
-
Size
127KB
-
Sample
240417-qvr9labd2t
-
MD5
b2571c1189ba1c806452b12ef2ff5405
-
SHA1
3a5165aee5b9ba3398717ca57f2e1dfede3e64a3
-
SHA256
31694d3e383f1c51e4589ec887a743ccae80ab1ec0c629a9267e8d1c892179d6
-
SHA512
d45eea6c66b41f6488ae73deeed4bc9de4508237d033f8553100770ce08d36af44ff85ed1ac864b094d2e598b8ca7ffdef2ed269f955e4bd4515a1674d186fbe
-
SSDEEP
3072:MhDxQclE86dMjWOMTu4ssffMAkKMcjzP2o7:GxQOjh2pkKMSzP97
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
3555ecd8bb270312994e03bf64695a3f1c0213a2abf85b890ebe2bb40a9648a3.exe
-
Size
203KB
-
MD5
e80ed6ccb333b7fc33ffc98bca43b57d
-
SHA1
170281a608fe94eee06a9f45466f6a47bd2272e3
-
SHA256
3555ecd8bb270312994e03bf64695a3f1c0213a2abf85b890ebe2bb40a9648a3
-
SHA512
3209c004cebb1e2f544f7d8457175a62da8a225bc08bcbb051c240eddc610ca8e1ddfe7f6d758d2e09517030afad689b6805fc2b8b801a1f182c04369191a30d
-
SSDEEP
3072:eafjdfYraZJXENc8uCXJiXK1K2LEpzUCV+PaIh9bwdANblLNBNKRrxbU+cmH:eafjqQ15OCyLLkCVkxbDco
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2