Overview

overview

10

Static

static

3

aedba59391...e5.exe

windows7-x64

10

aedba59391...e5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c59728790fb937ef17a9f0084f354f003ebf0ac776188dc0dc7e35908f96cb66

  • Size

    160KB

  • Sample

    240417-rj18ssbd35

  • MD5

    f595f0787426fc6982bfd79fc7de073f

  • SHA1

    5c097a86360c17b8b2e531754647323725376827

  • SHA256

    c59728790fb937ef17a9f0084f354f003ebf0ac776188dc0dc7e35908f96cb66

  • SHA512

    e39d75e0b7027501bb7874c81635412420cb26bc0a206a331834e687c3386920943814c81fdcd32688a5f5c69d032b878111d9f2857bcbd3d9374de7af06ccf6

  • SSDEEP

    3072:7mv4RvwlRSipqq1/3B+xi2lCFil5WTiApnJqHJRrrV53KRgaKhlVNUdV0g6:9iRtQSRv2lCFi3P3BKR2h9zg6

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5.exe

    • Size

      256KB

    • MD5

      11d6fdab8ce0a4462699d12d8cc6e181

    • SHA1

      f79dd773636fb0c46346f08e9a36bea666e34350

    • SHA256

      aedba5939122af54e928bc355fbd3ffce10cc95f8d7efd007b8f9960d3c0cfe5

    • SHA512

      dd582a962bc9d3c50782a528a1c635d065530b96f7e1325d0c254f299b10b29218a8626b15f18b11aaf234b7393cea39d8025fa8d023fa9e79bdbdce2d6478a6

    • SSDEEP

      3072:DlrJL/wyRvNQG+FiOf5hqBNDo0Rpv01b8FbuW5hL4WeNH601:D3L/wUkFiOf5Ybon1gL4WeNa

    Score
    10/10
    tofseeevasionpersistencetrojan

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks