General
-
Target
11c51d37bf779c9bddd210822db13b3fb9df2e497be909e43ec6a548235b53fe
-
Size
249KB
-
Sample
220614-3md38aeff9
-
MD5
e0d28d1db02a603762ab733357c24c79
-
SHA1
b1b2327235c673c43dfba6966579ed08bbfa2c3f
-
SHA256
11c51d37bf779c9bddd210822db13b3fb9df2e497be909e43ec6a548235b53fe
-
SHA512
5203a794802e9e1c4a274001456ecea190b59de03a6177666cb54064c3e5176143d6b2eceab5edd03299b03410c083565f8f458383a1bcf4139bbce7ad6f4975
Static task
static1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
11c51d37bf779c9bddd210822db13b3fb9df2e497be909e43ec6a548235b53fe
-
Size
249KB
-
MD5
e0d28d1db02a603762ab733357c24c79
-
SHA1
b1b2327235c673c43dfba6966579ed08bbfa2c3f
-
SHA256
11c51d37bf779c9bddd210822db13b3fb9df2e497be909e43ec6a548235b53fe
-
SHA512
5203a794802e9e1c4a274001456ecea190b59de03a6177666cb54064c3e5176143d6b2eceab5edd03299b03410c083565f8f458383a1bcf4139bbce7ad6f4975
-
suricata: ET MALWARE Observed DNS Query to bablosoft Domain (bablosoft .com)
suricata: ET MALWARE Observed DNS Query to bablosoft Domain (bablosoft .com)
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-