tofsee | 3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10_x64

Sharing

General

Target

3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6
Size

310KB
Sample

220605-mn8ffshhe2
MD5

a45e220e667e0d0e85b476f6e5835086
SHA1

1a48b13932940ec999cbd46ff74406bc9931806c
SHA256

3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6
SHA512

852487ba3bf35ef128e7ce61d7ecde726eacf4cab2ee9c45632afe22662ff8fe713d243c73b07ffb0ae2c416218c9c8e548dba3214de9ad169265bbd925604ef

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6.exe

Resource

win10-20220414-en

tofsee xmrig evasion miner persistence trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6
- Size
  
  310KB
- MD5
  
  a45e220e667e0d0e85b476f6e5835086
- SHA1
  
  1a48b13932940ec999cbd46ff74406bc9931806c
- SHA256
  
  3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6
- SHA512
  
  852487ba3bf35ef128e7ce61d7ecde726eacf4cab2ee9c45632afe22662ff8fe713d243c73b07ffb0ae2c416218c9c8e548dba3214de9ad169265bbd925604ef
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy