General
-
Target
8ded92e798318951a3c21cde2fd705a4f14484dea9164adf5150c12be76dccd8
-
Size
199KB
-
Sample
220604-qylwzsdgdm
-
MD5
feaf6df1a4f4fecd2067df69c645f450
-
SHA1
ff48118808403149ae64dc6dce9ea611423bca7e
-
SHA256
8ded92e798318951a3c21cde2fd705a4f14484dea9164adf5150c12be76dccd8
-
SHA512
cd4c944165236204d1a84ff43775e70940a03c0868aac24b853040d0c7251fb092b0ee6d6df073c4e5f3e9f3dd0ad1c559cd182c1250342fe0ffe5b2573873cf
Static task
static1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
8ded92e798318951a3c21cde2fd705a4f14484dea9164adf5150c12be76dccd8
-
Size
199KB
-
MD5
feaf6df1a4f4fecd2067df69c645f450
-
SHA1
ff48118808403149ae64dc6dce9ea611423bca7e
-
SHA256
8ded92e798318951a3c21cde2fd705a4f14484dea9164adf5150c12be76dccd8
-
SHA512
cd4c944165236204d1a84ff43775e70940a03c0868aac24b853040d0c7251fb092b0ee6d6df073c4e5f3e9f3dd0ad1c559cd182c1250342fe0ffe5b2573873cf
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-