tofsee | d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-2004_x64

Sharing

General

Target

d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660
Size

270KB
Sample

220124-d3p3zsbbf6
MD5

dd21a90907a782df7b3e24a9de9822be
SHA1

cd0f545b5dd9c514511f27703e02527162cac6bb
SHA256

d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660
SHA512

b3cf0ad508f787e5eb402960ca9696910140aad3d7c78117465738afab50804b2be9eb120e83cdd62d2a399d63100425d7ca0e10b33aa2baa0e8e4604055b9db

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660.exe

Resource

win10v2004-en-20220112

tofsee xmrig evasion miner persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

tofsee

C2

patmushta.info

ovicrush.cn

Targets

- Target
  
  d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660
- Size
  
  270KB
- MD5
  
  dd21a90907a782df7b3e24a9de9822be
- SHA1
  
  cd0f545b5dd9c514511f27703e02527162cac6bb
- SHA256
  
  d1e5a43651a23c058b1a0db11f7cdf61fec98f6f35922b2fa2efd5b6af361660
- SHA512
  
  b3cf0ad508f787e5eb402960ca9696910140aad3d7c78117465738afab50804b2be9eb120e83cdd62d2a399d63100425d7ca0e10b33aa2baa0e8e4604055b9db
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy