tofsee | 553ce75a13c88ab7422641d393c472170ff4368e79eaa1715ab7611bc3ef508d | Triage

Submit
Reports

Overview

overview

Static

static

02b4c3dcc4...a2.exe

windows7-x64

02b4c3dcc4...a2.exe

windows10-2004-x64

Sharing

General

Target

02b4c3dcc4673e8e5b5209e2cbad26584be30b40b082d0bf906ae4d60e9487a2
Size

158KB
Sample

221028-yyqh6sebbm
MD5

7cedde86e6bd1a06c443cada40905aa9
SHA1

4577f0b655f3ba1c19ccba4192e6e5fce180fc30
SHA256

553ce75a13c88ab7422641d393c472170ff4368e79eaa1715ab7611bc3ef508d
SHA512

94a3fe5ec3d1c452a29533751ce02f627262e57cb8e847f2ee8737884812d546c2c479bd4d5b6cf025135eb4a610f9a7642272e34ccc5151038087871b9b7693
SSDEEP

3072:n6hHIc3hRprDrShR1Wrb0ykBIm9w0e7hwiXJlx+It4RQcS3Xdif940noDcG:6thR1iR1WrbEe7yiXVxt4RQFHEfJ2

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

02b4c3dcc4673e8e5b5209e2cbad26584be30b40b082d0bf906ae4d60e9487a2.exe

Resource

win7-20220901-en

tofsee xmrig evasion miner persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

02b4c3dcc4673e8e5b5209e2cbad26584be30b40b082d0bf906ae4d60e9487a2.exe

Resource

win10v2004-20220901-en

tofsee xmrig evasion miner persistence trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  02b4c3dcc4673e8e5b5209e2cbad26584be30b40b082d0bf906ae4d60e9487a2
- Size
  
  260KB
- MD5
  
  ef7e4a69cb1f773ee7b5ac597f06418a
- SHA1
  
  7c09ac3d21a7e7866f8a74c6e39f496a75e005ee
- SHA256
  
  02b4c3dcc4673e8e5b5209e2cbad26584be30b40b082d0bf906ae4d60e9487a2
- SHA512
  
  bec3b85d3bfa56ab5b1427d870f81bbca45a3bb301c524eca29960185832a3664d449e8d4d320926139d3ec97f425b13e6fbd3b62adcf09987ad82c40f80a7a7
- SSDEEP
  
  3072:LuJFB8IkKLXHxuvz5q3jzQctU7cw0e7hwiXJl8T4DKFbJOxjw0L9l5M/h3:+FBFTLXx9zQctze7yiX4kMOxjw0xT
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy