General
-
Target
e4352f63724267bed81e8c199bd8ca0f.exe
-
Size
416KB
-
Sample
241011-rxz8nasejn
-
MD5
e4352f63724267bed81e8c199bd8ca0f
-
SHA1
ce9c69ca36920f076fe1369be4d9001085ca8602
-
SHA256
5ffda142aa321a2b5546c426a28403d7f19b51b88985c8617f11c04411489e30
-
SHA512
afe8786dade10b520aeee40fc661d0f86b370e2c0272be3a462033cdc4b9cf91ddf8a2f2f6628c478da8736dbd7704d8da3b577c5afeb053db79dad1556c8bc4
-
SSDEEP
3072://IcJg7uMwZi9VaiI2PLP7zIyMDWVYvVtKHpA6PYYNp/GG7Ig7LRACfij5+U/p49:HH0uMvGiI2PLgW4upRfJGuLmHsU
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
e4352f63724267bed81e8c199bd8ca0f.exe
-
Size
416KB
-
MD5
e4352f63724267bed81e8c199bd8ca0f
-
SHA1
ce9c69ca36920f076fe1369be4d9001085ca8602
-
SHA256
5ffda142aa321a2b5546c426a28403d7f19b51b88985c8617f11c04411489e30
-
SHA512
afe8786dade10b520aeee40fc661d0f86b370e2c0272be3a462033cdc4b9cf91ddf8a2f2f6628c478da8736dbd7704d8da3b577c5afeb053db79dad1556c8bc4
-
SSDEEP
3072://IcJg7uMwZi9VaiI2PLP7zIyMDWVYvVtKHpA6PYYNp/GG7Ig7LRACfij5+U/p49:HH0uMvGiI2PLgW4upRfJGuLmHsU
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2