General
-
Target
86aa4ff27e06217513d3cb541fdd846f69f67ed3ea086443ae523972c1bff322
-
Size
127KB
-
Sample
240417-r7k7gsch43
-
MD5
e99dfb612a2d7b7b2e61ae548f64cf74
-
SHA1
6cd1f36a10aba700e91609cb18310805562a3743
-
SHA256
86aa4ff27e06217513d3cb541fdd846f69f67ed3ea086443ae523972c1bff322
-
SHA512
2f548474152f3e3099d60df513df9fedd906a5d6ccde373b674258583d1e580261f30cd8bda5fef84876cfee837e551c6c345fea42a87ee48d18d73f0ce47469
-
SSDEEP
3072:k/RttygJutnfKxAfcKZiG5KnjIzYWhb2TqGsL23gwGVC:wRtjckAkI28zYWhiuGO2wu
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
3555ecd8bb270312994e03bf64695a3f1c0213a2abf85b890ebe2bb40a9648a3.exe
-
Size
203KB
-
MD5
e80ed6ccb333b7fc33ffc98bca43b57d
-
SHA1
170281a608fe94eee06a9f45466f6a47bd2272e3
-
SHA256
3555ecd8bb270312994e03bf64695a3f1c0213a2abf85b890ebe2bb40a9648a3
-
SHA512
3209c004cebb1e2f544f7d8457175a62da8a225bc08bcbb051c240eddc610ca8e1ddfe7f6d758d2e09517030afad689b6805fc2b8b801a1f182c04369191a30d
-
SSDEEP
3072:eafjdfYraZJXENc8uCXJiXK1K2LEpzUCV+PaIh9bwdANblLNBNKRrxbU+cmH:eafjqQ15OCyLLkCVkxbDco
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2