General
-
Target
b2ed945fc6554c9df5c0b3cfec1ad40e699f7f4512fe1d44e995585da1da1a6d
-
Size
152KB
-
Sample
240417-qvs6wsbd2w
-
MD5
d80b80c9a36383481325108c05eba8a4
-
SHA1
fea5f588dd64e7f909c8e60311f2d17384c2256d
-
SHA256
b2ed945fc6554c9df5c0b3cfec1ad40e699f7f4512fe1d44e995585da1da1a6d
-
SHA512
6bf7e8ec05fb2baac96bbdfa2566a8899885b0d5a35092cf8a96616fd13c169c6b40ddeaed444b146a321089f075cfaef78c67394537cff7d2873bab58fccb51
-
SSDEEP
3072:fjZ/um5dMMNOA8c5k4vyOePrFw736AcZCbb9sjPItwQRhekO+:bZ/umxwzc57vbePOD60vkPItTRheW
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
30205eaf6f581036262bfc099dfc5cc5d0e4d771dca3d1c4cf3dada59d097672.exe
-
Size
240KB
-
MD5
5c1b720ec28a3d4af24a19003fb56f50
-
SHA1
fa8c1236c3e7bc4d002be0abf5523659bf4c9af8
-
SHA256
30205eaf6f581036262bfc099dfc5cc5d0e4d771dca3d1c4cf3dada59d097672
-
SHA512
178e4b5633b1c4d455555b394940d6b240dc4da22e621e6c91035870f3e275b25881ea712fc7b73a4e73d9d9376045834fb00b3d03454616d877ecd3cd91790c
-
SSDEEP
3072:JQT/QLtwugcvGMI9+x7alYjt8T/NOOZ/M5l/evBr+jL+0geRp:JE/QLXgSh7aSjtGZ/M5lP3ge
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2