General
-
Target
2025-04-24_d0d3f9f7435518811c3482560d9c8bcf_amadey_elex_karagany_rhadamanthys_smoke-loader_stealc
-
Size
10.5MB
-
Sample
250424-vb7bmasky4
-
MD5
d0d3f9f7435518811c3482560d9c8bcf
-
SHA1
dd6999aeccfdfc9169b852d73ba7a6c2119c0f39
-
SHA256
535c743f49a419c63d37515b00126d1f21ea953b19d5fa76cc111f6c9b48d692
-
SHA512
e328b04215317879a914cb5b405a8205c77edc69a7ba207b25ae51c140f309a870363280866cbbb6580bf0c419407da97c350773faa2df59192ff5b38262486f
-
SSDEEP
3072:Ldh4rj43qHj/zjgRYR6lVatBLufQxMmYq7sxkgaBCh:T4rj46/zjgRI2atBLTMYQiga
Malware Config
Extracted
tofsee
niflheimr.cn
jotunheim.name
Targets
-
-
Target
2025-04-24_d0d3f9f7435518811c3482560d9c8bcf_amadey_elex_karagany_rhadamanthys_smoke-loader_stealc
-
Size
10.5MB
-
MD5
d0d3f9f7435518811c3482560d9c8bcf
-
SHA1
dd6999aeccfdfc9169b852d73ba7a6c2119c0f39
-
SHA256
535c743f49a419c63d37515b00126d1f21ea953b19d5fa76cc111f6c9b48d692
-
SHA512
e328b04215317879a914cb5b405a8205c77edc69a7ba207b25ae51c140f309a870363280866cbbb6580bf0c419407da97c350773faa2df59192ff5b38262486f
-
SSDEEP
3072:Ldh4rj43qHj/zjgRYR6lVatBLufQxMmYq7sxkgaBCh:T4rj46/zjgRI2atBLTMYQiga
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Tofsee family
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1