General
-
Target
e687feecb21bcbd4d4337842b7917d1db503dce7c75d6e7f12a8878a412e809d
-
Size
185KB
-
Sample
220613-b8mtpshcc9
-
MD5
06475a5524fc071ba6e4b9530712503b
-
SHA1
78b8db45014b75ad1665f367fcbf91812f41c16b
-
SHA256
e687feecb21bcbd4d4337842b7917d1db503dce7c75d6e7f12a8878a412e809d
-
SHA512
d816d91804eeac1e96618dad5d5fc57296114a22977d8c9735cf680c7092936633dfb6e579beba9a8c7627fdaef1e71712b99f69effab5691763f20f28ca2a5c
Static task
static1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
e687feecb21bcbd4d4337842b7917d1db503dce7c75d6e7f12a8878a412e809d
-
Size
185KB
-
MD5
06475a5524fc071ba6e4b9530712503b
-
SHA1
78b8db45014b75ad1665f367fcbf91812f41c16b
-
SHA256
e687feecb21bcbd4d4337842b7917d1db503dce7c75d6e7f12a8878a412e809d
-
SHA512
d816d91804eeac1e96618dad5d5fc57296114a22977d8c9735cf680c7092936633dfb6e579beba9a8c7627fdaef1e71712b99f69effab5691763f20f28ca2a5c
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-