General
-
Target
10f6b452781aec48a0f4498050be97f3c00397952081c79503be99d566689d79
-
Size
145KB
-
Sample
240417-rj3fvsbd37
-
MD5
956b4126eec78139baa7b79a1bdda4fd
-
SHA1
53f7758ec729951dd56c2381d224d5bcdc4d6b3c
-
SHA256
10f6b452781aec48a0f4498050be97f3c00397952081c79503be99d566689d79
-
SHA512
9fdfc4038a8b837a9b22fdce20be886c4085b4e96ca048035e434f1dea643da5210489dc03c62b126401438b3a5b318e82ece9bcf1f5643cb6575929b0c47cec
-
SSDEEP
3072:vuVKsxtOcqPcc0i2sdxck4vYzgzqMgzPc15WAwuUj43Q/a5i4Zm7ieEJnvl:GxAnUPiVkv+t45WduUU3v5iH72Jnvl
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
9dc0085f64473ca82753f59552bae76c64b5165e72899d727cd18f4d1afbd9d1.exe
-
Size
233KB
-
MD5
e1fd44ce08b0383dc59e732bb0b1f2d9
-
SHA1
70dc0dba88f5b4d02f554627ec8fce32b9237fcc
-
SHA256
9dc0085f64473ca82753f59552bae76c64b5165e72899d727cd18f4d1afbd9d1
-
SHA512
7db8ae6bbead6c8603fda377b70cf05f793a795ca29cef50a97c6df148c4ecf5677880177016d7e65e51b204bbeed22b07e31f9d021305ea7a350b7130121d0d
-
SSDEEP
3072:TcYelBc/ctFykDqPogVwsvhQNW3k1QxCJ18YcRfIBvd4rm5qe4EY3jXO9ZJwVQk:TcdBJ+PojEk1QEJq1FIBv74E2OTF
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1