General

  • Target

    e4352f63724267bed81e8c199bd8ca0f.exe

  • Size

    416KB

  • Sample

    241011-rzx63sserr

  • MD5

    e4352f63724267bed81e8c199bd8ca0f

  • SHA1

    ce9c69ca36920f076fe1369be4d9001085ca8602

  • SHA256

    5ffda142aa321a2b5546c426a28403d7f19b51b88985c8617f11c04411489e30

  • SHA512

    afe8786dade10b520aeee40fc661d0f86b370e2c0272be3a462033cdc4b9cf91ddf8a2f2f6628c478da8736dbd7704d8da3b577c5afeb053db79dad1556c8bc4

  • SSDEEP

    3072://IcJg7uMwZi9VaiI2PLP7zIyMDWVYvVtKHpA6PYYNp/GG7Ig7LRACfij5+U/p49:HH0uMvGiI2PLgW4upRfJGuLmHsU

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      e4352f63724267bed81e8c199bd8ca0f.exe

    • Size

      416KB

    • MD5

      e4352f63724267bed81e8c199bd8ca0f

    • SHA1

      ce9c69ca36920f076fe1369be4d9001085ca8602

    • SHA256

      5ffda142aa321a2b5546c426a28403d7f19b51b88985c8617f11c04411489e30

    • SHA512

      afe8786dade10b520aeee40fc661d0f86b370e2c0272be3a462033cdc4b9cf91ddf8a2f2f6628c478da8736dbd7704d8da3b577c5afeb053db79dad1556c8bc4

    • SSDEEP

      3072://IcJg7uMwZi9VaiI2PLP7zIyMDWVYvVtKHpA6PYYNp/GG7Ig7LRACfij5+U/p49:HH0uMvGiI2PLgW4upRfJGuLmHsU

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks