General

  • Target

    rXTqHar5Ud.exe

  • Size

    397KB

  • Sample

    240923-ww3dvawekm

  • MD5

    f403202fb853377ceb67200005ef95b8

  • SHA1

    1840e1495486209e92e5230cf1406f31a02699e7

  • SHA256

    3eebf917efa82ea7b81f37e9f8c98a702254c5f0a487667a72e78d53a61ce363

  • SHA512

    13b130d6f2ac8be444e16d4b1116812179d5043912a7aa24bd0d566eeecf4447be09fd54266dc12ff1902569d048c93a2d0c827abc135b0159f8156c18f9bf7a

  • SSDEEP

    6144:7BYOcLH6/xNtFxaS3DpwmEIey0bGWEbje2bkln5eOy8:76Ocb6/r/xv2GWaeaklQT8

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      rXTqHar5Ud.exe

    • Size

      397KB

    • MD5

      f403202fb853377ceb67200005ef95b8

    • SHA1

      1840e1495486209e92e5230cf1406f31a02699e7

    • SHA256

      3eebf917efa82ea7b81f37e9f8c98a702254c5f0a487667a72e78d53a61ce363

    • SHA512

      13b130d6f2ac8be444e16d4b1116812179d5043912a7aa24bd0d566eeecf4447be09fd54266dc12ff1902569d048c93a2d0c827abc135b0159f8156c18f9bf7a

    • SSDEEP

      6144:7BYOcLH6/xNtFxaS3DpwmEIey0bGWEbje2bkln5eOy8:76Ocb6/r/xv2GWaeaklQT8

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks