General
-
Target
e5e504710b99893aea0e451eacfb7c62839a131303977db144bb8b5c1fca2200.exe
-
Size
139KB
-
Sample
241209-sj7agswqbp
-
MD5
2ae457d156c22881f61b52e2c1cad0d2
-
SHA1
4fcdcda539765d33c716903c319120b880cacb3f
-
SHA256
e5e504710b99893aea0e451eacfb7c62839a131303977db144bb8b5c1fca2200
-
SHA512
1eb581073f17dbe3a5f13c6924d8d00b7b7affed5ee3c26c27e2082abaccd8b379f32c5ed4c83bcd642db68ac978357cbe3d9aee641ba31f2eb97f76a407ca2a
-
SSDEEP
3072:z1LM23IP5rlPTB4Nx13iVXxoFKlRtPnf:dMVlWxpiVhoqRtPf
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
e5e504710b99893aea0e451eacfb7c62839a131303977db144bb8b5c1fca2200.exe
-
Size
139KB
-
MD5
2ae457d156c22881f61b52e2c1cad0d2
-
SHA1
4fcdcda539765d33c716903c319120b880cacb3f
-
SHA256
e5e504710b99893aea0e451eacfb7c62839a131303977db144bb8b5c1fca2200
-
SHA512
1eb581073f17dbe3a5f13c6924d8d00b7b7affed5ee3c26c27e2082abaccd8b379f32c5ed4c83bcd642db68ac978357cbe3d9aee641ba31f2eb97f76a407ca2a
-
SSDEEP
3072:z1LM23IP5rlPTB4Nx13iVXxoFKlRtPnf:dMVlWxpiVhoqRtPf
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Windows security bypass
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
2