General
-
Target
8ac12e37cf6a741c0b68e1f698693b077332287351a6e0535903b747c701f8a6
-
Size
200KB
-
Sample
220604-pm3vpabebn
-
MD5
b08ead583459fc6b3237b21994c3f8ff
-
SHA1
fbac4d0f810aa5149b5fc9904273377bf1b52d07
-
SHA256
8ac12e37cf6a741c0b68e1f698693b077332287351a6e0535903b747c701f8a6
-
SHA512
906e55d77891c524b04c8fb57b9838f4b9e6793f34a88b3c040731a26346031057bcb7556cdd8972c3a60e9113a821f1a9e1994aa128b164039bd5ca7d961cb1
Static task
static1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
8ac12e37cf6a741c0b68e1f698693b077332287351a6e0535903b747c701f8a6
-
Size
200KB
-
MD5
b08ead583459fc6b3237b21994c3f8ff
-
SHA1
fbac4d0f810aa5149b5fc9904273377bf1b52d07
-
SHA256
8ac12e37cf6a741c0b68e1f698693b077332287351a6e0535903b747c701f8a6
-
SHA512
906e55d77891c524b04c8fb57b9838f4b9e6793f34a88b3c040731a26346031057bcb7556cdd8972c3a60e9113a821f1a9e1994aa128b164039bd5ca7d961cb1
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-