Overview

overview

10

Static

static

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ea3f1761b58df1891e2c8a0550864578194aaf8e6299f920e9aa14ef12a57a8d

  • Size

    307KB

  • Sample

    220603-2hdq8abebp

  • MD5

    22611ea41c1568cb3aeeea5168f432a3

  • SHA1

    26c7be59dc71e41a4ed9de09e78ca1fdaadc73c5

  • SHA256

    ea3f1761b58df1891e2c8a0550864578194aaf8e6299f920e9aa14ef12a57a8d

  • SHA512

    5b6cf583961ff03b526bdf5a2116a84b5fd467d121cc3a5c7e69a59a93b0ca419fa5c2c183fa7145598ff1bf2e2fb96a368e7abd2af82952fab5dd482ea7f9c9

Score
10/10
tofseexmrigcollectionevasionminerpersistencesuricatatrojanvmprotect

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      ea3f1761b58df1891e2c8a0550864578194aaf8e6299f920e9aa14ef12a57a8d

    • Size

      307KB

    • MD5

      22611ea41c1568cb3aeeea5168f432a3

    • SHA1

      26c7be59dc71e41a4ed9de09e78ca1fdaadc73c5

    • SHA256

      ea3f1761b58df1891e2c8a0550864578194aaf8e6299f920e9aa14ef12a57a8d

    • SHA512

      5b6cf583961ff03b526bdf5a2116a84b5fd467d121cc3a5c7e69a59a93b0ca419fa5c2c183fa7145598ff1bf2e2fb96a368e7abd2af82952fab5dd482ea7f9c9

    Score
    10/10
    tofseexmrigcollectionevasionminerpersistencesuricatatrojanvmprotect

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Deletes itself

    • Accesses Microsoft Outlook profiles

      collection

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks