General

  • Target

    75b15d265cc961e326bba5b067505d4c478d5221f1c8c8d43c43ca024bfc363b

  • Size

    146KB

  • Sample

    221129-q61p4shc3w

  • MD5

    49e2377d7b078dd9132d68a28864b7aa

  • SHA1

    7624f625c904d6f443293dc943fe978b87df63b0

  • SHA256

    75b15d265cc961e326bba5b067505d4c478d5221f1c8c8d43c43ca024bfc363b

  • SHA512

    bb7cb923651c3812fae5415b6a49f9358a69398ac0b541c67cb480c9f412ce00765ffe05d20b5a91b7c4c5b92a18964c9fa6b2ec7ec06ac09c781d850b5b44c2

  • SSDEEP

    3072:X1Z9CoiH8kN5ejC8bDlUhtX7LWq+qGD0Fg0:FvCDH8HDlUhtPmqGUX

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      75b15d265cc961e326bba5b067505d4c478d5221f1c8c8d43c43ca024bfc363b

    • Size

      146KB

    • MD5

      49e2377d7b078dd9132d68a28864b7aa

    • SHA1

      7624f625c904d6f443293dc943fe978b87df63b0

    • SHA256

      75b15d265cc961e326bba5b067505d4c478d5221f1c8c8d43c43ca024bfc363b

    • SHA512

      bb7cb923651c3812fae5415b6a49f9358a69398ac0b541c67cb480c9f412ce00765ffe05d20b5a91b7c4c5b92a18964c9fa6b2ec7ec06ac09c781d850b5b44c2

    • SSDEEP

      3072:X1Z9CoiH8kN5ejC8bDlUhtX7LWq+qGD0Fg0:FvCDH8HDlUhtPmqGUX

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Tasks