tofsee | b94c5e2f0895241a0e9d81d6d8e2e4a0a24e248455cfb7b3d6566315359ea536 | Triage

Submit
Reports

Overview

overview

Static

static

8

075c88f8d6...03.exe

windows7_x64

075c88f8d6...03.exe

windows10_x64

Sharing

General

Target

075c88f8d6465ea8f45e633059d7cb03.exe
Size

154KB
Sample

201229-slygxqpgqe
MD5

075c88f8d6465ea8f45e633059d7cb03
SHA1

4e664d06dd0b7bdc3bfaf43aeafabb4fe7e2ebb1
SHA256

b94c5e2f0895241a0e9d81d6d8e2e4a0a24e248455cfb7b3d6566315359ea536
SHA512

703e0c06b58589c885eb5a3e6bdb1c17ce21ad0c97501a82c485ba3b1eec2eaa056726d32699e09d68b34a88b60f50d164d7d60282632d5ce07654f773420bad

Score

10^/10

tofsee xmrig evasion miner persistence trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

075c88f8d6465ea8f45e633059d7cb03.exe

Resource

win7v20201028

tofsee xmrig evasion miner persistence trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

075c88f8d6465ea8f45e633059d7cb03.exe

Resource

win10v20201028

tofsee xmrig evasion miner persistence trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  075c88f8d6465ea8f45e633059d7cb03.exe
- Size
  
  154KB
- MD5
  
  075c88f8d6465ea8f45e633059d7cb03
- SHA1
  
  4e664d06dd0b7bdc3bfaf43aeafabb4fe7e2ebb1
- SHA256
  
  b94c5e2f0895241a0e9d81d6d8e2e4a0a24e248455cfb7b3d6566315359ea536
- SHA512
  
  703e0c06b58589c885eb5a3e6bdb1c17ce21ad0c97501a82c485ba3b1eec2eaa056726d32699e09d68b34a88b60f50d164d7d60282632d5ce07654f773420bad
Score

10^/10

tofsee xmrig evasion miner persistence trojan upx
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojanupx

behavioral2

tofseexmrigevasionminerpersistencetrojanupx

© 2018-2024

Terms | Privacy