General
-
Target
5b43c20c3b20018c4659f99f4be427e09e37dc0c4c3a12c62603519880c64f30
-
Size
146KB
-
Sample
240417-rj4c6abd39
-
MD5
8ef6dfe093264bb95d8c107232e0a919
-
SHA1
9b20a1f0282b21649ead5601d18f93089643a489
-
SHA256
5b43c20c3b20018c4659f99f4be427e09e37dc0c4c3a12c62603519880c64f30
-
SHA512
7370b73056d19e4e50c7013bc11c7204a548d34f9840aef0ce5a3fbb92d384290197ccd12b1dab26ecdafc8a23e3506ea739335f1994d1eb248169f3d2e854f7
-
SSDEEP
3072:UPPNb/EH7MN34dAKyeJMVKPeTAnVilD8OlCED9ILT4Do:UNIH7CodAK5JoTsnIRlCEpy4o
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
c5fe1e625c87aa811d76f20079f286f5b9f3b5c971d5ba86350c37327c509981.exe
-
Size
233KB
-
MD5
9f72ad79bba9d398a150be4b676c624b
-
SHA1
f06218c9fb624ba6a8040846c1a888e6dacc6fb6
-
SHA256
c5fe1e625c87aa811d76f20079f286f5b9f3b5c971d5ba86350c37327c509981
-
SHA512
bd7a919b1773115756c1b795fc3111132f7acd8290e2d82c25e6b6d03510bc61f7736c3b1fee2794bd3492e103121018d83565d2dea79287481b99f31bdbb393
-
SSDEEP
3072:1oCTZcw8fGJiR21K9Np5Y4xL1JTp0C2bhUQiGkRo8DegwT:1ob/vFF2bhd8l
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2