Description
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
General
Target
Size
Sample
63263a6a2a9455c1159d95e2afd705167219e9f35ad5d59ef186e25ab02ba1cb
313KB
220620-tfhndsedgm
Score
10/10
MD5
SHA1
SHA256
SHA512
b440d803ab42f31567a4d4d61aa4ef94
232319681df1e403b35fb69d95bd1dfce23b600f
63263a6a2a9455c1159d95e2afd705167219e9f35ad5d59ef186e25ab02ba1cb
78808ce22660e9e75615f0aa55e6e74e668d7b7689b020a1b54e7114a3746230ebc8da96882440c89304d50bf135796ad972be0ea3ff7a1237721587d07af497
Malware Config
Extracted
| Family | tofsee |
| C2 |
svartalfheim.top jotunheim.name |
Targets
Target
MD5
Filesize
63263a6a2a9455c1159d95e2afd705167219e9f35ad5d59ef186e25ab02ba1cb
b440d803ab42f31567a4d4d61aa4ef94
313KB
Score
10/10
SHA1
SHA256
SHA512
232319681df1e403b35fb69d95bd1dfce23b600f
63263a6a2a9455c1159d95e2afd705167219e9f35ad5d59ef186e25ab02ba1cb
78808ce22660e9e75615f0aa55e6e74e668d7b7689b020a1b54e7114a3746230ebc8da96882440c89304d50bf135796ad972be0ea3ff7a1237721587d07af497
Tags
Signatures
-
Tofsee
-
xmrig
Description
XMRig is a high performance, open source, cross platform CPU/GPU miner.
Tags
-
XMRig Miner Payload
Tags
-
Creates new service(s)
Tags
TTPs
-
Executes dropped EXE
-
Modifies Windows Firewall
Tags
TTPs
-
Sets service image path in registry
Tags
TTPs
-
Checks computer location settings
Description
Looks up country code configured in the registry, likely geofence.
TTPs
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Privilege Escalation
Tasks
static1
Score
N/A
behavioral1
Score
10/10