General
-
Target
284ed6ed462b3bdd86a312bc9809128ae4e95e74a882e80c2ae28793a60547f2
-
Size
197KB
-
Sample
220924-25ddzacdb7
-
MD5
e9bea2fcfe2d5db06689cb740d2acf80
-
SHA1
df53499ece31d0768e64cd155239fd9b99d3d6c1
-
SHA256
284ed6ed462b3bdd86a312bc9809128ae4e95e74a882e80c2ae28793a60547f2
-
SHA512
40b44782ffba0e8aac41627bd2aaf80bc2d6906cdcd7752cb9eac3be606b3eadea9d6069195ffb18db24019580e89f5f0f82b4cc49f6bd2497903f67909a968d
-
SSDEEP
3072:lPsFfSLiJblJhN5muBiRnYB/k3E2Fp64zDWGpBMY/PkkXx:JLklJ1gYdf6BzD
Static task
static1
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
284ed6ed462b3bdd86a312bc9809128ae4e95e74a882e80c2ae28793a60547f2
-
Size
197KB
-
MD5
e9bea2fcfe2d5db06689cb740d2acf80
-
SHA1
df53499ece31d0768e64cd155239fd9b99d3d6c1
-
SHA256
284ed6ed462b3bdd86a312bc9809128ae4e95e74a882e80c2ae28793a60547f2
-
SHA512
40b44782ffba0e8aac41627bd2aaf80bc2d6906cdcd7752cb9eac3be606b3eadea9d6069195ffb18db24019580e89f5f0f82b4cc49f6bd2497903f67909a968d
-
SSDEEP
3072:lPsFfSLiJblJhN5muBiRnYB/k3E2Fp64zDWGpBMY/PkkXx:JLklJ1gYdf6BzD
-
XMRig Miner payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-