tofsee | 4c36dc53a4da6637f1d99a121a74eafacd51abf88dd5931e90824f15258258a3 | Triage

Submit
Reports

Overview

overview

Static

static

d093330127...b3.exe

windows7_x64

d093330127...b3.exe

windows10-2004_x64

Sharing

General

Target

d093330127cd6c30968467a9336881ab023acf4cba757f6dd5ac566b1b2285b3
Size

144KB
Sample

220606-tptf9adhel
MD5

bc0efc29203646c036ac74c7ced8ab5b
SHA1

1bf2e994be6bd78ae7ef4ef11e1cac0d159f5f84
SHA256

4c36dc53a4da6637f1d99a121a74eafacd51abf88dd5931e90824f15258258a3
SHA512

09aa6d1470d1e7b06f376268190d78eaea416944ee22a0e318d6440c0ee931aa3a79c0deedde1263682bb39397b88e757a9cd709b83d804fdbc141a501156563

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

d093330127cd6c30968467a9336881ab023acf4cba757f6dd5ac566b1b2285b3.exe

Resource

win7-20220414-en

tofsee xmrig evasion miner persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

d093330127cd6c30968467a9336881ab023acf4cba757f6dd5ac566b1b2285b3.exe

Resource

win10v2004-20220414-en

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  d093330127cd6c30968467a9336881ab023acf4cba757f6dd5ac566b1b2285b3
- Size
  
  263KB
- MD5
  
  d5fb631f61c85ae433748255e294c6ce
- SHA1
  
  edc47ed3f6e91a3c6f61b2e4ff76a60387792712
- SHA256
  
  d093330127cd6c30968467a9336881ab023acf4cba757f6dd5ac566b1b2285b3
- SHA512
  
  236d640cd926e6b5b306464b259e209b77e6201550345ee75e39fa6233c770b6600131d0ff32c1be753d3e8b333bc902338870ff29541aa07f1939fe182e1af1
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

© 2018-2024

Terms | Privacy