General

  • Target

    a3247152e18ba6e88311f082a86515d3.bin

  • Size

    111KB

  • Sample

    240904-b4jlgssfkk

  • MD5

    ae4802ea79e5fa009bcf99179d6a0eef

  • SHA1

    1651f3242e597ea74fa346e01933d16211ca2c70

  • SHA256

    714f0c6f63ab2f3290eab02829e6c71b156c96bbc8f274df3c11e839665c6bfd

  • SHA512

    72949731fd569e8a53b74cbb7a22e908b4d851e6406160e21e47d3015a0669ed3321010adde4755b2f37e4291ec473c04dc575605444d3c39c4cda657aa44996

  • SSDEEP

    1536:6M9ES+BBnHUvYXrqLM5yXbN/CdRWa4kpZTZ1eP3U67QfI006Hw5jcWkdHIBixEOg:6M4HYuqo5CbNQR79W3bJ0K6oBRnLP

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      02c6f9163a5d988cee3ab12c11e03b18329c26d6b4863004f943133654693e97.exe

    • Size

      213KB

    • MD5

      a3247152e18ba6e88311f082a86515d3

    • SHA1

      80da2f14bb17f2d3ff1df6faf25622ebb8cf00c8

    • SHA256

      02c6f9163a5d988cee3ab12c11e03b18329c26d6b4863004f943133654693e97

    • SHA512

      b09fc49d7126b37c37f499be522c4b57e7538d2f64600bd789c93d90a315a023f0fbed9466c6069a38bb8c80bc9a6b250fcaec03b59ecfb3a40754c235c3e6d8

    • SSDEEP

      3072:AOFL8HN3BB33u/iMUk6efofpWqX2hnesi5kb:tLqN3Bt36iM/ofpKhn9

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.