General
-
Target
287e002bf329ee3f6ec1230b485c5f031d91dd390e5a6e9052d523a7dd5dc3bc
-
Size
177KB
-
Sample
211126-tv8hcsddfn
-
MD5
97bc4f010461e0fc785ac95d30924b98
-
SHA1
dd69f99df6d60fef9823413dd803894134a756f0
-
SHA256
287e002bf329ee3f6ec1230b485c5f031d91dd390e5a6e9052d523a7dd5dc3bc
-
SHA512
38692893660a36879146a064b0a32730977bd13f71a4a887ff203840f2cb6a5fd360ccce59499286508b7e3c123c7fb87702ba3755e8d664310b1d86c8be7660
Static task
static1
Malware Config
Extracted
tofsee
quadoil.ru
lakeflex.ru
Targets
-
-
Target
287e002bf329ee3f6ec1230b485c5f031d91dd390e5a6e9052d523a7dd5dc3bc
-
Size
177KB
-
MD5
97bc4f010461e0fc785ac95d30924b98
-
SHA1
dd69f99df6d60fef9823413dd803894134a756f0
-
SHA256
287e002bf329ee3f6ec1230b485c5f031d91dd390e5a6e9052d523a7dd5dc3bc
-
SHA512
38692893660a36879146a064b0a32730977bd13f71a4a887ff203840f2cb6a5fd360ccce59499286508b7e3c123c7fb87702ba3755e8d664310b1d86c8be7660
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-