General
-
Target
cd524a9867b1196e9fd5103acdfa12b3a8b79b7469bf4eb36fce62d35c375796.exe
-
Size
192KB
-
Sample
221203-1z831sdd8y
-
MD5
d4e0a9ff19277f89090ea5e4e558f7ef
-
SHA1
cd3a22ef3f2a0a4f3b01b95b13c4946045e0cd63
-
SHA256
cd524a9867b1196e9fd5103acdfa12b3a8b79b7469bf4eb36fce62d35c375796
-
SHA512
585d62799f6fe5ce68018c20e8aecb6154959bfb8fc02a69dd9a3b249f94f85c1600d60cb2b74365fe4426de4f172fbc0df7e7e789bb06386895eb7bdf1241be
-
SSDEEP
3072:9rbR6e6hM46gUIJ5qbMlCzgyQ4Iu0mE4GrtmxRs9E3AZxpR/c:9Mc46gUL4Bg01xxvp
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
cd524a9867b1196e9fd5103acdfa12b3a8b79b7469bf4eb36fce62d35c375796.exe
-
Size
192KB
-
MD5
d4e0a9ff19277f89090ea5e4e558f7ef
-
SHA1
cd3a22ef3f2a0a4f3b01b95b13c4946045e0cd63
-
SHA256
cd524a9867b1196e9fd5103acdfa12b3a8b79b7469bf4eb36fce62d35c375796
-
SHA512
585d62799f6fe5ce68018c20e8aecb6154959bfb8fc02a69dd9a3b249f94f85c1600d60cb2b74365fe4426de4f172fbc0df7e7e789bb06386895eb7bdf1241be
-
SSDEEP
3072:9rbR6e6hM46gUIJ5qbMlCzgyQ4Iu0mE4GrtmxRs9E3AZxpR/c:9Mc46gUL4Bg01xxvp
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-