General
-
Target
535134b37aa43990b700243cec5669b4736818d839f1f2f92cdedcc7a7fb9e23
-
Size
127KB
-
Sample
240417-r7pvnsec7x
-
MD5
4fafdcbc16652b687398de9e77e3e40e
-
SHA1
c638c39cf766c244d090f9c0d7f457a8fe467b4c
-
SHA256
535134b37aa43990b700243cec5669b4736818d839f1f2f92cdedcc7a7fb9e23
-
SHA512
29518743be383c45a69174057fa0d0b073e2b8fc57d57f5047e8ce85f5e06414c1231218b83c92787c46ee893f73320792d984e9197aa765f4b31caa01c56e06
-
SSDEEP
3072:QWV0x5RLe59eu/6Cr4PVXYAcNVOBS0OTzt2AOGEWuIbjA+N:dVo5RLe59eu/6oAc+00OTzt2dvWuIfl
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
4da2cf296ff1402fe8a6e0bdbfb00a06008b8ba5a3825b42f4f75ef2101c8ce4.exe
-
Size
203KB
-
MD5
6a029324fa243a4b1cad4a6bbcc2e9a3
-
SHA1
8187f39aaa95e89707c479db4115b4679110547c
-
SHA256
4da2cf296ff1402fe8a6e0bdbfb00a06008b8ba5a3825b42f4f75ef2101c8ce4
-
SHA512
ae92eb275eb0e7b44a1baf80233cc7ccb8ed3d94ad7833ea1de8b040bf4917a1a7de6f952dae0ced3fc307919c20e6748561bbe6eecc771d79f0540f4934fcdf
-
SSDEEP
3072:FJ9RtZYNXsdUsBGQJiE/1KWvEDAKPeubjLzkYd+IrVXsfR80B+cmH:3bUVu7KPeuvJUAV95co
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2