General
-
Target
4940fa86109505f9f75f3852d1d86a38af4dd07e344f80469908ffaa354a1d48
-
Size
10.5MB
-
Sample
241011-yhxbsazhjc
-
MD5
7fb21c8ddc056e635e38d2b54e0f58ed
-
SHA1
ee3d38330b9485e06a2bf4098fffbab3bcb92817
-
SHA256
4940fa86109505f9f75f3852d1d86a38af4dd07e344f80469908ffaa354a1d48
-
SHA512
10edeef859109cc83a57f561b572742cc1cac88cc30f7ca727e0097b4ec94d66d39a8effcbf893cf06047d4a6e7c8340ff7edf462c02d61488b35af6aac4088d
-
SSDEEP
49152:cEtmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm/:b
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
4940fa86109505f9f75f3852d1d86a38af4dd07e344f80469908ffaa354a1d48
-
Size
10.5MB
-
MD5
7fb21c8ddc056e635e38d2b54e0f58ed
-
SHA1
ee3d38330b9485e06a2bf4098fffbab3bcb92817
-
SHA256
4940fa86109505f9f75f3852d1d86a38af4dd07e344f80469908ffaa354a1d48
-
SHA512
10edeef859109cc83a57f561b572742cc1cac88cc30f7ca727e0097b4ec94d66d39a8effcbf893cf06047d4a6e7c8340ff7edf462c02d61488b35af6aac4088d
-
SSDEEP
49152:cEtmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm/:b
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1