Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    260KB

  • Sample

    221029-bqnnaaehf2

  • MD5

    0977d24926bb7054965077aa47ae6eb9

  • SHA1

    2b257a3bd6e16788458ee4223ec8d0ebc3a8eea3

  • SHA256

    07699f780ad559ab0a8410f80033750202604736840d7880a11b37253dec5977

  • SHA512

    3fca1acce75d60239fa0373ac5608221294571c44e10fbe7cc92b7d9e01af4cd8e1a8e94fcb654c795a6c8b64aebb85535527b8f092f922b9385ec4e6f64ad7d

  • SSDEEP

    3072:/PiD0BaXzLdQlU/z5d3mt3pVaDhFVIVQC0ODopk3jf80Cxet1nsM/h3:g0BUzLqlFpVaDnVO0Ookz2x0ns

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      260KB

    • MD5

      0977d24926bb7054965077aa47ae6eb9

    • SHA1

      2b257a3bd6e16788458ee4223ec8d0ebc3a8eea3

    • SHA256

      07699f780ad559ab0a8410f80033750202604736840d7880a11b37253dec5977

    • SHA512

      3fca1acce75d60239fa0373ac5608221294571c44e10fbe7cc92b7d9e01af4cd8e1a8e94fcb654c795a6c8b64aebb85535527b8f092f922b9385ec4e6f64ad7d

    • SSDEEP

      3072:/PiD0BaXzLdQlU/z5d3mt3pVaDhFVIVQC0ODopk3jf80Cxet1nsM/h3:g0BUzLqlFpVaDnVO0Ookz2x0ns

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks