tofsee | 94d11bb9b10c452512621c11a5b57448d3323eddfef63da693a7dc8839ed4f7e | Triage

Submit
Reports

Overview

overview

Static

static

dridex

windows10-1703-x64

Sharing

Copy URL Twitter E-mail

General

Target

94d11bb9b10c452512621c11a5b57448d3323eddfef63da693a7dc8839ed4f7e
Size

306KB
Sample

230107-hqgcjach89
MD5

b3cad5414efcc94728a979e84ef5c8a6
SHA1

bb530128b80b00119c617dff702f0693a8b4bf9c
SHA256

94d11bb9b10c452512621c11a5b57448d3323eddfef63da693a7dc8839ed4f7e
SHA512

3fb3d2a1bae38fd7f9f6b57a7b457d09b55df981633e685f098b9f79d651d6345f04ad14db1495998a66415139d871d12c0f0e03f56b2eea5f161a0bba8a1066
SSDEEP

3072:s3XpkkLuzx0XeLd5XjDWAykeAYeE0nN4SSbwXkVZYUUA3H4Z5Ktfpi6zSbDL:qJLuFbcKY50nNwAkFR45Cpi6Wb

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

94d11bb9b10c452512621c11a5b57448d3323eddfef63da693a7dc8839ed4f7e.exe

Resource

win10-20220812-en

tofsee xmrig evasion miner persistence trojan

windows10-1703-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  94d11bb9b10c452512621c11a5b57448d3323eddfef63da693a7dc8839ed4f7e
- Size
  
  306KB
- MD5
  
  b3cad5414efcc94728a979e84ef5c8a6
- SHA1
  
  bb530128b80b00119c617dff702f0693a8b4bf9c
- SHA256
  
  94d11bb9b10c452512621c11a5b57448d3323eddfef63da693a7dc8839ed4f7e
- SHA512
  
  3fb3d2a1bae38fd7f9f6b57a7b457d09b55df981633e685f098b9f79d651d6345f04ad14db1495998a66415139d871d12c0f0e03f56b2eea5f161a0bba8a1066
- SSDEEP
  
  3072:s3XpkkLuzx0XeLd5XjDWAykeAYeE0nN4SSbwXkVZYUUA3H4Z5Ktfpi6zSbDL:qJLuFbcKY50nNwAkFR45Cpi6Wb
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

© 2018-2025

Terms | Privacy