General
-
Target
79304d3709f4266d76e318d24d5863b3cc14a8fb64bc02145fbf23d398803753
-
Size
237KB
-
Sample
241013-ygy4zsvdpe
-
MD5
e180178b04f30c79a29231d10dbf3549
-
SHA1
31dec58acfcbf1f9b60a53ca6a0e589123106450
-
SHA256
79304d3709f4266d76e318d24d5863b3cc14a8fb64bc02145fbf23d398803753
-
SHA512
7036bcead8bcbaa1e40158b78cdcf5fa137f14a330670bfafca807c237eb4779a35a81a0be78c8a10358346a3adb60a737ca3e4699660f6117b36b470c6d6e9f
-
SSDEEP
3072:ALEeqY70pT7Ov4epeBWsj5zEqONJUFqQj1yw7:ALEHRpT7cxM1XFE
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
79304d3709f4266d76e318d24d5863b3cc14a8fb64bc02145fbf23d398803753
-
Size
237KB
-
MD5
e180178b04f30c79a29231d10dbf3549
-
SHA1
31dec58acfcbf1f9b60a53ca6a0e589123106450
-
SHA256
79304d3709f4266d76e318d24d5863b3cc14a8fb64bc02145fbf23d398803753
-
SHA512
7036bcead8bcbaa1e40158b78cdcf5fa137f14a330670bfafca807c237eb4779a35a81a0be78c8a10358346a3adb60a737ca3e4699660f6117b36b470c6d6e9f
-
SSDEEP
3072:ALEeqY70pT7Ov4epeBWsj5zEqONJUFqQj1yw7:ALEHRpT7cxM1XFE
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1