tofsee | 4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10_x64

Sharing

General

Target

4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f
Size

200KB
Sample

220604-mplm3sbhh6
MD5

8a7403f31412617d3dc0f1a2e36f63a2
SHA1

ec344995cfc36914ee33fdfe1115e483fde9ba60
SHA256

4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f
SHA512

a96302a86c5159b3e0d40fa60b8c5d406b9897d5de3c2c4f57e1504abd0429524502ade13902ad5744d027cfa594e6b48d91a32324810c53de5c4330237e26fa

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f.exe

Resource

win10-20220414-en

tofsee xmrig evasion miner persistence trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f
- Size
  
  200KB
- MD5
  
  8a7403f31412617d3dc0f1a2e36f63a2
- SHA1
  
  ec344995cfc36914ee33fdfe1115e483fde9ba60
- SHA256
  
  4ba46ded90040dd549614208eb6afc0654cc5ffb3dde12807c2cb2438c93d75f
- SHA512
  
  a96302a86c5159b3e0d40fa60b8c5d406b9897d5de3c2c4f57e1504abd0429524502ade13902ad5744d027cfa594e6b48d91a32324810c53de5c4330237e26fa
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy