General

  • Target

    b5829ea81cde8f48ba1190e20e6bb15d.exe

  • Size

    2.0MB

  • Sample

    240504-m44r7seg36

  • MD5

    b5829ea81cde8f48ba1190e20e6bb15d

  • SHA1

    51fbb15275360bbf2a866f339045527e941e1a85

  • SHA256

    71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451

  • SHA512

    d84e43e6cf342d0e7696be6b1cbcf42dce5d1efe518f4949faa8841ee398a25a63a6e41440eb10ba0d276454ba73752c9ffb17eddbfd0813a636646663e26b4a

  • SSDEEP

    49152:aaXI0V7PoU9lHrHmvtiLGMIqCGLhRSCquJnm:3Y0V7gU9l2tiLGVGLhRvquJnm

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      b5829ea81cde8f48ba1190e20e6bb15d.exe

    • Size

      2.0MB

    • MD5

      b5829ea81cde8f48ba1190e20e6bb15d

    • SHA1

      51fbb15275360bbf2a866f339045527e941e1a85

    • SHA256

      71d1f22830e0f40506171cda626891b4f954ec22f4a4cd0045b37f8d6c404451

    • SHA512

      d84e43e6cf342d0e7696be6b1cbcf42dce5d1efe518f4949faa8841ee398a25a63a6e41440eb10ba0d276454ba73752c9ffb17eddbfd0813a636646663e26b4a

    • SSDEEP

      49152:aaXI0V7PoU9lHrHmvtiLGMIqCGLhRSCquJnm:3Y0V7gU9l2tiLGVGLhRvquJnm

    • Detect ZGRat V1

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Creates new service(s)

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks