tofsee | 7727c5ec6a569c9ae2a1d0a0deca65c4be6fd0e484878adac9f6688c660ebde8 | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

General

Target

7727c5ec6a569c9ae2a1d0a0deca65c4be6fd0e484878adac9f6688c660ebde8
Size

242KB
Sample

221221-m83qpsfd2x
MD5

29c111a0abf79b7d5877410410bbea08
SHA1

66d37afc9bd3e644018787dbfd3aeeb38808d9b0
SHA256

7727c5ec6a569c9ae2a1d0a0deca65c4be6fd0e484878adac9f6688c660ebde8
SHA512

63ebf1c7bb3568e35ed97d64b455cb2e125d8e196a6a357436ba81b098cc7b079bf527b11d597015237da5e519ced72189107525587d5da0e0864493ff6386a7
SSDEEP

3072:QaOpULd0XBuF55o8jyG59Pv+dz7I48mxniPALW4P84n7moi79cNQK1+eJV5u48:6eL6xFM6nz8mxniuW857xixeRu4

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

7727c5ec6a569c9ae2a1d0a0deca65c4be6fd0e484878adac9f6688c660ebde8.exe

Resource

win10-20220812-en

tofsee xmrig evasion miner persistence trojan

windows10-1703-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  7727c5ec6a569c9ae2a1d0a0deca65c4be6fd0e484878adac9f6688c660ebde8
- Size
  
  242KB
- MD5
  
  29c111a0abf79b7d5877410410bbea08
- SHA1
  
  66d37afc9bd3e644018787dbfd3aeeb38808d9b0
- SHA256
  
  7727c5ec6a569c9ae2a1d0a0deca65c4be6fd0e484878adac9f6688c660ebde8
- SHA512
  
  63ebf1c7bb3568e35ed97d64b455cb2e125d8e196a6a357436ba81b098cc7b079bf527b11d597015237da5e519ced72189107525587d5da0e0864493ff6386a7
- SSDEEP
  
  3072:QaOpULd0XBuF55o8jyG59Pv+dz7I48mxniPALW4P84n7moi79cNQK1+eJV5u48:6eL6xFM6nz8mxniuW857xixeRu4
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

© 2018-2025

Terms | Privacy