General
-
Target
rXTqHar5Ud.exe
-
Size
397KB
-
Sample
240923-ww3dvawekm
-
MD5
f403202fb853377ceb67200005ef95b8
-
SHA1
1840e1495486209e92e5230cf1406f31a02699e7
-
SHA256
3eebf917efa82ea7b81f37e9f8c98a702254c5f0a487667a72e78d53a61ce363
-
SHA512
13b130d6f2ac8be444e16d4b1116812179d5043912a7aa24bd0d566eeecf4447be09fd54266dc12ff1902569d048c93a2d0c827abc135b0159f8156c18f9bf7a
-
SSDEEP
6144:7BYOcLH6/xNtFxaS3DpwmEIey0bGWEbje2bkln5eOy8:76Ocb6/r/xv2GWaeaklQT8
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
rXTqHar5Ud.exe
-
Size
397KB
-
MD5
f403202fb853377ceb67200005ef95b8
-
SHA1
1840e1495486209e92e5230cf1406f31a02699e7
-
SHA256
3eebf917efa82ea7b81f37e9f8c98a702254c5f0a487667a72e78d53a61ce363
-
SHA512
13b130d6f2ac8be444e16d4b1116812179d5043912a7aa24bd0d566eeecf4447be09fd54266dc12ff1902569d048c93a2d0c827abc135b0159f8156c18f9bf7a
-
SSDEEP
6144:7BYOcLH6/xNtFxaS3DpwmEIey0bGWEbje2bkln5eOy8:76Ocb6/r/xv2GWaeaklQT8
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2