Overview

overview

10

Static

static

3

9dc0085f64...d1.exe

windows7-x64

10

9dc0085f64...d1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9e7b16018a1d332361f4533fe2b210ea39c7e748f05210ff217b4aa9be61ce73

  • Size

    145KB

  • Sample

    240417-r64x7sch23

  • MD5

    7a8091785e411f798cf2feb152726a87

  • SHA1

    224fe2b2fb6ff1f9e4208c0e482d549f06b3fa41

  • SHA256

    9e7b16018a1d332361f4533fe2b210ea39c7e748f05210ff217b4aa9be61ce73

  • SHA512

    e76d931d46922e11bf18834b626f9b4976fdcf80f5d1ee434af64b5cace0567a4fb06711dd5a59c671ba0382c9636004c7783e947c394cee4afa969de0779a78

  • SSDEEP

    3072:wLqn5RdkI7ZSOOoGlyX1rvAvSkPa25HPXPosruLGkRnPue:wL6Rj7I7FU4KktpP/VFsnPj

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      9dc0085f64473ca82753f59552bae76c64b5165e72899d727cd18f4d1afbd9d1.exe

    • Size

      233KB

    • MD5

      e1fd44ce08b0383dc59e732bb0b1f2d9

    • SHA1

      70dc0dba88f5b4d02f554627ec8fce32b9237fcc

    • SHA256

      9dc0085f64473ca82753f59552bae76c64b5165e72899d727cd18f4d1afbd9d1

    • SHA512

      7db8ae6bbead6c8603fda377b70cf05f793a795ca29cef50a97c6df148c4ecf5677880177016d7e65e51b204bbeed22b07e31f9d021305ea7a350b7130121d0d

    • SSDEEP

      3072:TcYelBc/ctFykDqPogVwsvhQNW3k1QxCJ18YcRfIBvd4rm5qe4EY3jXO9ZJwVQk:TcdBJ+PojEk1QEJq1FIBv74E2OTF

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks