General
-
Target
6e445419480aa1d94571d25836caa196811ac6cf69e8789f440c62c545acfca8
-
Size
132KB
-
Sample
221201-3f9ljsbh73
-
MD5
870be9c9ac7d0946a97d28d8d313118d
-
SHA1
400cad5f57eaaf528a1b2082b507680abee8f1cd
-
SHA256
d663da95ff3d6c348e3a723d687509573ab1e291d0ebb66c3952bce626235d9c
-
SHA512
76ff99af28715888638dcd4b1f46b18383e99dd4f0cbb29032d326bcd7013e5529a9e920873f84754b29981ebbbd885fa2176bb8c71ca7b331f29d5a6427083f
-
SSDEEP
3072:Ye/MWUJzLwUruwdi8fuj2aHUy3wQqm6503voJ1xl4jM/JYypEHKuKv:YTNJzdruN8o5As603v4zdI18
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
6e445419480aa1d94571d25836caa196811ac6cf69e8789f440c62c545acfca8
-
Size
185KB
-
MD5
7bdae7930443f34eff0c18dd7b0d7d30
-
SHA1
8476925b3b177521c7e3e5850ebe003d60252d29
-
SHA256
6e445419480aa1d94571d25836caa196811ac6cf69e8789f440c62c545acfca8
-
SHA512
80934829ea75974287351431fdcee145b798133018839ac9b031bba5da5a9924e5d7a7e8e6b32fc4f4604dc244adbd9f35f77ea9e3cd15afcb03099d6cb79357
-
SSDEEP
3072:xe8M4yW09z+zn5xHUGooXncFKk097NDS2nj5L906Z4+t:lMD9zEoInq21S2P0
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-