General
-
Target
77ac2b9604d89716061ef9874c44de4772172378b46d63886db0f55800feeb32N.exe
-
Size
71KB
-
Sample
240925-s65eeatcql
-
MD5
5998ae6f6db418940a38ed466256e490
-
SHA1
e37a169800217c49f3cb40d07e7caaedb4a6996f
-
SHA256
77ac2b9604d89716061ef9874c44de4772172378b46d63886db0f55800feeb32
-
SHA512
09faa0a92cacc3154620e85099ff3bd8f4765786a6346a1d9ee9af8ab75e18e4c12d2ac739c2419d541abfbe50f2c01c6a6c56f4d54bf0d9b9b0b4967ed73c07
-
SSDEEP
1536:Dkes21VCy1nTxSYg3CXTjFWL9idpIHUc:DDVCyFxSYACXF7pI0
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
77ac2b9604d89716061ef9874c44de4772172378b46d63886db0f55800feeb32N.exe
-
Size
71KB
-
MD5
5998ae6f6db418940a38ed466256e490
-
SHA1
e37a169800217c49f3cb40d07e7caaedb4a6996f
-
SHA256
77ac2b9604d89716061ef9874c44de4772172378b46d63886db0f55800feeb32
-
SHA512
09faa0a92cacc3154620e85099ff3bd8f4765786a6346a1d9ee9af8ab75e18e4c12d2ac739c2419d541abfbe50f2c01c6a6c56f4d54bf0d9b9b0b4967ed73c07
-
SSDEEP
1536:Dkes21VCy1nTxSYg3CXTjFWL9idpIHUc:DDVCyFxSYACXF7pI0
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2