General

  • Target

    a0330635ce7a544213e96160b46657fbc7c774c29e7224d9d9d7363253fd53f4

  • Size

    13.9MB

  • Sample

    241214-xn9nma1ma1

  • MD5

    2b34fa5102a1706dae4a66b48d08dd4e

  • SHA1

    28c2e4119f1ad75f64ca6c63edcf7709fbc65f32

  • SHA256

    a0330635ce7a544213e96160b46657fbc7c774c29e7224d9d9d7363253fd53f4

  • SHA512

    ad94a47157e1457699e9b6334c461b0c4d223958c72e133f68859e0a0c0f3886da8edb629a1a7e5fd594a8c0944b3e43c7e916f4059785cfd8b05c3cacd93223

  • SSDEEP

    3072:I1MBkxvfGaF/FzWb9VT5aLj/JSC5kJwSFjhvoGECaNwxAk8Je8Je8Je8Je8Je8JR:Pk5FOkjRSC6SS+N+

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      a0330635ce7a544213e96160b46657fbc7c774c29e7224d9d9d7363253fd53f4

    • Size

      13.9MB

    • MD5

      2b34fa5102a1706dae4a66b48d08dd4e

    • SHA1

      28c2e4119f1ad75f64ca6c63edcf7709fbc65f32

    • SHA256

      a0330635ce7a544213e96160b46657fbc7c774c29e7224d9d9d7363253fd53f4

    • SHA512

      ad94a47157e1457699e9b6334c461b0c4d223958c72e133f68859e0a0c0f3886da8edb629a1a7e5fd594a8c0944b3e43c7e916f4059785cfd8b05c3cacd93223

    • SSDEEP

      3072:I1MBkxvfGaF/FzWb9VT5aLj/JSC5kJwSFjhvoGECaNwxAk8Je8Je8Je8Je8Je8JR:Pk5FOkjRSC6SS+N+

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Tofsee family

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks