tofsee | 73b7caf4299cfdc6cbfc8f035283321fbea5ce470ec493d344f177aeabc1233c | Triage

Submit
Reports

Overview

overview

Static

static

ae103a988f...a2.exe

windows7-x64

ae103a988f...a2.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2
Size

122KB
Sample

221127-vv9k4aeb73
MD5

40e788f15097a53046f6c33e7f2fc0ff
SHA1

dd0591585c30a9564f3b69a59c1636057d5b3522
SHA256

73b7caf4299cfdc6cbfc8f035283321fbea5ce470ec493d344f177aeabc1233c
SHA512

732b6452144c7b7fa9e7530b4d66d86bbc23ea7a3403c9a657f5bdfa0bfb3c10290a27da71a9ca7eb116040098db9cc3f1c8c7b1055d19380c586596c65a222b
SSDEEP

3072:8O9WWcjBlA40uc7fTbfxuYhTyuaad402UlVDYJ5V2wpbr3U:8uWTjB70u8fTbI3uld40vYJ5d4

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2.exe

Resource

win7-20220812-en

tofsee xmrig evasion miner persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2.exe

Resource

win10v2004-20221111-en

tofsee xmrig evasion miner persistence trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2
- Size
  
  178KB
- MD5
  
  faca2fb4b7df8b02263be3f101775d8d
- SHA1
  
  1ee11a0311a1507b66d76b668eaa1806794692a7
- SHA256
  
  ae103a988f889f4120a5d21bdf08d4ff41588c26c4efab1c604cab29dc5632a2
- SHA512
  
  3f8dd1204b45afb76df8137f1a46a40a6b53c3bf98b80959724d27bc1da1e1e48fb28c18ebbb4940b30ac6b98e1b04f4ccb937e7a9b836802bfbea903a88ff7c
- SSDEEP
  
  3072:knSQXMYrEDcw6d5QWBhf7RBkDuaad402UlVDYJ5V2RBB2Wk2:mDEDcwdYJRBSuld40vYJ5yB
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

tofseexmrigevasionminerpersistencetrojan

© 2018-2025

Terms | Privacy