General
-
Target
dc126faa29a2e26dbd95134059e682c28afee0e1a3d2573584c8226d838f735d
-
Size
11.1MB
-
Sample
240511-j63q5sgc8v
-
MD5
0ad58678a408902fd64f7af414738868
-
SHA1
c3f7da6f93660d26259ceafb4c4d13cb7160455e
-
SHA256
dc126faa29a2e26dbd95134059e682c28afee0e1a3d2573584c8226d838f735d
-
SHA512
2f441ca748ec8cd9e94a6759979caa64c30c1d10ba6931cf36288dd65596bc9445dec79d2b47bf3e2d9e82358a5ca05574513123c49f0eba23470585d3e68e54
-
SSDEEP
12288:mSpmG/1+U3VGAnqy5iXBhULiprrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr:L/1+U3Q6ixyLi
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
dc126faa29a2e26dbd95134059e682c28afee0e1a3d2573584c8226d838f735d
-
Size
11.1MB
-
MD5
0ad58678a408902fd64f7af414738868
-
SHA1
c3f7da6f93660d26259ceafb4c4d13cb7160455e
-
SHA256
dc126faa29a2e26dbd95134059e682c28afee0e1a3d2573584c8226d838f735d
-
SHA512
2f441ca748ec8cd9e94a6759979caa64c30c1d10ba6931cf36288dd65596bc9445dec79d2b47bf3e2d9e82358a5ca05574513123c49f0eba23470585d3e68e54
-
SSDEEP
12288:mSpmG/1+U3VGAnqy5iXBhULiprrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr:L/1+U3Q6ixyLi
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2