tofsee | 857e938e8bef854c67fec66d7fbfc7f19e29b81fe4cd8c1e387a9b34918e2f1d | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

857e938e8bef854c67fec66d7fbfc7f19e29b81fe4cd8c1e387a9b34918e2f1d
Size

201KB
Sample

220925-hj3xysdfd4
MD5

2e636c990dc2d04cc549d783da6f462e
SHA1

9095209d363a69b5f4696d2c1de6435dc9745db5
SHA256

857e938e8bef854c67fec66d7fbfc7f19e29b81fe4cd8c1e387a9b34918e2f1d
SHA512

22d1b71371f99da9e6211da17feca7e254cf7295b3cc2ab072c6316881ce736c4f5704013b9c03dec72ef098337bb7d5592d5d5cbfed404f76a9aaf945ce9e49
SSDEEP

3072:nEwJBL4VPtwN5tYxZm024CDz/+8Wep3AT3JBNqdKS/PkIXx:vLEtsIm02h/LdyTRqg

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

857e938e8bef854c67fec66d7fbfc7f19e29b81fe4cd8c1e387a9b34918e2f1d.exe

Resource

win10-20220901-en

tofsee xmrig evasion miner persistence trojan

windows10-1703-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  857e938e8bef854c67fec66d7fbfc7f19e29b81fe4cd8c1e387a9b34918e2f1d
- Size
  
  201KB
- MD5
  
  2e636c990dc2d04cc549d783da6f462e
- SHA1
  
  9095209d363a69b5f4696d2c1de6435dc9745db5
- SHA256
  
  857e938e8bef854c67fec66d7fbfc7f19e29b81fe4cd8c1e387a9b34918e2f1d
- SHA512
  
  22d1b71371f99da9e6211da17feca7e254cf7295b3cc2ab072c6316881ce736c4f5704013b9c03dec72ef098337bb7d5592d5d5cbfed404f76a9aaf945ce9e49
- SSDEEP
  
  3072:nEwJBL4VPtwN5tYxZm024CDz/+8Wep3AT3JBNqdKS/PkIXx:vLEtsIm02h/LdyTRqg
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy