tofsee | add8d95ef5d7841053b6ad4be0c945e08f33ead91e3d8739096259a803ff7bd9 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10_x64

Sharing

General

Target

add8d95ef5d7841053b6ad4be0c945e08f33ead91e3d8739096259a803ff7bd9
Size

176KB
Sample

211126-tgnwssddaj
MD5

841f580ad01f6fb7e77d4f5548c904e1
SHA1

bd9e6f033297b83e5017c829d711489d41b941a3
SHA256

add8d95ef5d7841053b6ad4be0c945e08f33ead91e3d8739096259a803ff7bd9
SHA512

782771e39e06072ee4ea2669f54cdd9815bb0f08bf3b0a7edd46d75d2e206bbb2d069413a71fa96533ca11426f348bd33e9b6217a5fc2a4c0d54055995beaac1

Score

10^/10

tofsee xmrig evasion miner persistence suricata trojan

Static task

static1

Behavioral task

behavioral1

Sample

add8d95ef5d7841053b6ad4be0c945e08f33ead91e3d8739096259a803ff7bd9.exe

Resource

win10-en-20211104

tofsee xmrig evasion miner persistence suricata trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Targets

- Target
  
  add8d95ef5d7841053b6ad4be0c945e08f33ead91e3d8739096259a803ff7bd9
- Size
  
  176KB
- MD5
  
  841f580ad01f6fb7e77d4f5548c904e1
- SHA1
  
  bd9e6f033297b83e5017c829d711489d41b941a3
- SHA256
  
  add8d95ef5d7841053b6ad4be0c945e08f33ead91e3d8739096259a803ff7bd9
- SHA512
  
  782771e39e06072ee4ea2669f54cdd9815bb0f08bf3b0a7edd46d75d2e206bbb2d069413a71fa96533ca11426f348bd33e9b6217a5fc2a4c0d54055995beaac1
Score

10^/10

tofsee xmrig evasion miner persistence suricata trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- suricata: ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)
  suricata: ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)
  suricata
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencesuricatatrojan

© 2018-2024

Terms | Privacy