tofsee | 71aed22dad72edfbde89027a6b8493823ce54b97982e2a08afc3e7b7c774ef8e | Triage

Submit
Reports

Overview

overview

Static

static

408350d5ec...72.exe

windows7-x64

408350d5ec...72.exe

windows10-2004-x64

Sharing

General

Target

7738426258.zip
Size

226KB
Sample

220729-l284gahbgn
MD5

170e727154503880abee16de87b2b7c6
SHA1

b5703e38017b117f07016aa24cd5e3f8f1ff2225
SHA256

71aed22dad72edfbde89027a6b8493823ce54b97982e2a08afc3e7b7c774ef8e
SHA512

bad9b57ffe873fe0d124ee940465e50e37d4e53f0e5ddc3cf7304c34e0503c16ca12f3f3e597da99c6b065298a233320b71290ac071127e461be72ae7fa2bc09

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

408350d5ec3b95b75b24c7b37129c3b1761da78525c1cf65c561dc798f966f72.exe

Resource

win7-20220718-en

tofsee xmrig evasion miner persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

408350d5ec3b95b75b24c7b37129c3b1761da78525c1cf65c561dc798f966f72.exe

Resource

win10v2004-20220721-en

tofsee xmrig evasion miner persistence trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

patmushta.info

parubey.info

Targets

- Target
  
  408350d5ec3b95b75b24c7b37129c3b1761da78525c1cf65c561dc798f966f72
- Size
  
  11.2MB
- MD5
  
  0f5f585eae17de900df160d215979eb2
- SHA1
  
  148a441b6a64b32903ff9d57da531f0d4556b3a6
- SHA256
  
  408350d5ec3b95b75b24c7b37129c3b1761da78525c1cf65c561dc798f966f72
- SHA512
  
  63944f2d3e6edb69f654338e3783d14a46e4776c15f044522c4040bb5c3646a487c86441d0de31f464ee4e41a3b9d851ec7b8a06f05c27d1465553536ac03ef1
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy