General

  • Target

    e6047ee3e2b7715bf8aa2ed7be60c9d7.exe

  • Size

    238KB

  • Sample

    241013-f6kc1s1enf

  • MD5

    e6047ee3e2b7715bf8aa2ed7be60c9d7

  • SHA1

    8754c4ec41c424aca4e8e4d4f0dc69e0b6b08808

  • SHA256

    6622b3119c7f0e8c1228b18773cd76721c77a3fd7d871c8943974a034652b8a0

  • SHA512

    31458e228c2d778ad9eaf14fc7debec7bd00db22941d2fd5f29fa73b5f2f076210fd45db2fccd43851f0ce9ca02b77328047470dbd5258343f5e6f31211e965f

  • SSDEEP

    6144:mwDpmSK310WEb9GBW73mIX/MIos0Vdh1aQ:moppM10WSKY2IQVdz

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      e6047ee3e2b7715bf8aa2ed7be60c9d7.exe

    • Size

      238KB

    • MD5

      e6047ee3e2b7715bf8aa2ed7be60c9d7

    • SHA1

      8754c4ec41c424aca4e8e4d4f0dc69e0b6b08808

    • SHA256

      6622b3119c7f0e8c1228b18773cd76721c77a3fd7d871c8943974a034652b8a0

    • SHA512

      31458e228c2d778ad9eaf14fc7debec7bd00db22941d2fd5f29fa73b5f2f076210fd45db2fccd43851f0ce9ca02b77328047470dbd5258343f5e6f31211e965f

    • SSDEEP

      6144:mwDpmSK310WEb9GBW73mIX/MIos0Vdh1aQ:moppM10WSKY2IQVdz

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks