General
-
Target
67e866c9c16276ce24d73f0cfdfdec133c0bd733d731434f8e7c7fe32dcc86b8
-
Size
177KB
-
Sample
220604-e5ln1sedbl
-
MD5
2dd3efc878f4567527db54323529c4e1
-
SHA1
e961c28347d17e844dc350e3a64adfd6cc408481
-
SHA256
67e866c9c16276ce24d73f0cfdfdec133c0bd733d731434f8e7c7fe32dcc86b8
-
SHA512
67e45e20e4bc9b079a47f5e2a961d2805b602b9c42f6cc8e28685c6b5c869e492b87abff8df96084e711db26b8da8e17b43bdade4d15f12b560e394d35b19dec
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
67e866c9c16276ce24d73f0cfdfdec133c0bd733d731434f8e7c7fe32dcc86b8
-
Size
177KB
-
MD5
2dd3efc878f4567527db54323529c4e1
-
SHA1
e961c28347d17e844dc350e3a64adfd6cc408481
-
SHA256
67e866c9c16276ce24d73f0cfdfdec133c0bd733d731434f8e7c7fe32dcc86b8
-
SHA512
67e45e20e4bc9b079a47f5e2a961d2805b602b9c42f6cc8e28685c6b5c869e492b87abff8df96084e711db26b8da8e17b43bdade4d15f12b560e394d35b19dec
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-