General

  • Target

    6ab57929c7fb967824f95db9980c8b85cc6f112e2037b78d7e11e1760ee9870f

  • Size

    172KB

  • Sample

    241122-vh697svjcy

  • MD5

    c795a6ac03536cab09f978bc5791a9b6

  • SHA1

    3e44e52011285caf407bf1a50175699cd4f3d673

  • SHA256

    6ab57929c7fb967824f95db9980c8b85cc6f112e2037b78d7e11e1760ee9870f

  • SHA512

    173fbfd25d69b2e2b5f2a8d7d814278a439d13ec6ec6c93a1b662126dd23295105eff9f05d1438f95863caa328a28a977a9aa85c68c09256e5a0b392e0adf2eb

  • SSDEEP

    3072:HTLTWx01rYIM9Nhrqzn150fkTCUuhGgrBXETBS:zLTz8ICNDfzUcGS

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      6ab57929c7fb967824f95db9980c8b85cc6f112e2037b78d7e11e1760ee9870f

    • Size

      172KB

    • MD5

      c795a6ac03536cab09f978bc5791a9b6

    • SHA1

      3e44e52011285caf407bf1a50175699cd4f3d673

    • SHA256

      6ab57929c7fb967824f95db9980c8b85cc6f112e2037b78d7e11e1760ee9870f

    • SHA512

      173fbfd25d69b2e2b5f2a8d7d814278a439d13ec6ec6c93a1b662126dd23295105eff9f05d1438f95863caa328a28a977a9aa85c68c09256e5a0b392e0adf2eb

    • SSDEEP

      3072:HTLTWx01rYIM9Nhrqzn150fkTCUuhGgrBXETBS:zLTz8ICNDfzUcGS

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks