General
-
Target
4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f
-
Size
200KB
-
Sample
220604-mplm3sbhh6
-
MD5
8a7403f31412617d3dc0f1a2e36f63a2
-
SHA1
ec344995cfc36914ee33fdfe1115e483fde9ba60
-
SHA256
4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f
-
SHA512
a96302a86c5159b3e0d40fa60b8c5d406b9897d5de3c2c4f57e1504abd0429524502ade13902ad5744d027cfa594e6b48d91a32324810c53de5c4330237e26fa
Static task
static1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f
-
Size
200KB
-
MD5
8a7403f31412617d3dc0f1a2e36f63a2
-
SHA1
ec344995cfc36914ee33fdfe1115e483fde9ba60
-
SHA256
4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f
-
SHA512
a96302a86c5159b3e0d40fa60b8c5d406b9897d5de3c2c4f57e1504abd0429524502ade13902ad5744d027cfa594e6b48d91a32324810c53de5c4330237e26fa
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-