General
-
Target
8e4abfd4545e1a2781f008c864b096bc498dbb4745736cb0ff34ecdc0115ed4a
-
Size
145KB
-
Sample
240417-r62g3scg98
-
MD5
d0f9ccc18f0ffbdd5ad0c9cf486554e8
-
SHA1
449bd3bfd74efcf8d1993e1cccfcadd9e01b3856
-
SHA256
8e4abfd4545e1a2781f008c864b096bc498dbb4745736cb0ff34ecdc0115ed4a
-
SHA512
7b292fb258fbc4f7cfd6cf84d1fbe4555f618a92773eaeba5782bea37f66b552d09425fbfccd114277f20540017a79880837703306e80b003ef16ada1c1481f1
-
SSDEEP
3072:oLuC0C48nGewVtb04NYXsjrNUqQwD+GPaFiEeiDgkroUtYOdVVYo:oLuWnHw3bhNY8jryzqxminogk3uOnB
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
04ec244112b44e9592f9c5e45ab50e67e402f0704d8121678afe46117de90482.exe
-
Size
233KB
-
MD5
f81a2c93c44bfec11cdd55eb53dde5df
-
SHA1
45cb3d7066113e86fff081e309265a797af0ef51
-
SHA256
04ec244112b44e9592f9c5e45ab50e67e402f0704d8121678afe46117de90482
-
SHA512
c9fc2a6239235aa0bf24e700665666c8500000bcc76dc8e26922f8cfc0f961949bf7fa04bf9877ea3254b9a5879752d1b3f75d945318c246770b507bc0b0199e
-
SSDEEP
3072:LefNGJ/ceeYkb2BNog9oADOF4t0wC0NnpXIpKjVEqLDOO7n+MnIitmjXO9ZJwVQk:Le1GM+NobFm0wC0NpYpuVEqSFOTF
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2