General
-
Target
f0812f666ec17611266540189fe7699b2ca3a6af103dd9f0f207739221ccfcf2
-
Size
259KB
-
Sample
220615-pgbt1sheg2
-
MD5
b36acc5c9eeb85172b6a2b7825669e44
-
SHA1
317af2adbad05943cf7344148ff6c56facf0dd6d
-
SHA256
f0812f666ec17611266540189fe7699b2ca3a6af103dd9f0f207739221ccfcf2
-
SHA512
0121d3a42ffcfdd36a5f242cf42ce99b5f30dcab4ed6792a6ba2e09d179d4cf3d71602e46d8e255a7317ac651c774cb3914f0e7bdf044254231b2a533b3766af
Static task
static1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
f0812f666ec17611266540189fe7699b2ca3a6af103dd9f0f207739221ccfcf2
-
Size
259KB
-
MD5
b36acc5c9eeb85172b6a2b7825669e44
-
SHA1
317af2adbad05943cf7344148ff6c56facf0dd6d
-
SHA256
f0812f666ec17611266540189fe7699b2ca3a6af103dd9f0f207739221ccfcf2
-
SHA512
0121d3a42ffcfdd36a5f242cf42ce99b5f30dcab4ed6792a6ba2e09d179d4cf3d71602e46d8e255a7317ac651c774cb3914f0e7bdf044254231b2a533b3766af
-
XMRig Miner Payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-