General
-
Target
510f46a26c07218801889fa4a47b680a6adac3f1262b40fe5e89f16f03803a29
-
Size
104KB
-
Sample
221130-ahcelsbc95
-
MD5
50e1f8181d133644d64dcca5252e398e
-
SHA1
98f45939a92a05694076b0aca21448d35e7e6114
-
SHA256
4ddeca2036df82a2f383a7cb9f8169b9521d366d16dba26a42261059ac01857f
-
SHA512
a3f8d7ba67e417ccebdbcc2d4b80490a68dc0b3c45d1509eb0d3760823a815ebb513bb8c4021193d4c61eb74582deedd7b1b8c5cac37f6b991f22fc1180ed267
-
SSDEEP
1536:6zPTBPpnN8EYHCcermq+gIQVCUo/QCkp3w/WC5HegB5qozbAfcO5YnQxTy:6zPTBPpniEFD+gFI4zRw/dbAcO5YnEy
Static task
static1
Behavioral task
behavioral1
Sample
510f46a26c07218801889fa4a47b680a6adac3f1262b40fe5e89f16f03803a29.exe
Resource
win7-20220812-en
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
510f46a26c07218801889fa4a47b680a6adac3f1262b40fe5e89f16f03803a29
-
Size
146KB
-
MD5
c2931071a91f8a1ca71ecb555a04ee09
-
SHA1
b6c8725d95ad7937cb46966472fb563ce6c3f86c
-
SHA256
510f46a26c07218801889fa4a47b680a6adac3f1262b40fe5e89f16f03803a29
-
SHA512
b95279bb2a694a4e956bbbbe61abadb893948a6639a4570503737e84dd1188d7723c24d810082c92b05c53529bfb667e676f71a31f2dedd5b230e29b1f567a5f
-
SSDEEP
3072:MBLYTER4Oh5BShPrLMyW8M4I6ft+4/9O:YrR4VhPrQyu4fF/
-
XMRig Miner payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-