tofsee

Resubmissions

08-05-2023 12:04

230508-n83alscc6v 10

14-02-2023 12:24

14-02-2023 12:00

14-02-2023 11:52

24-01-2023 09:45

Sharing

Copy URL

Twitter E-mail

General

Target

8843202280.zip
Size

139KB
Sample

230124-lrfn6sad97
MD5

40e3640ea2cd1731cb3c265e1ca80c94
SHA1

9c90da2647d02351c90247cf9fde770096a37e0d
SHA256

e601e2249d2ed99e05552157a32aa73fb476f2b55bb63d10f9a3405d8269c693
SHA512

19993b49f291108288d6cd8bfca2f48a90e88487c7475019cc993d36e814e0aaf53a745646adc0970f03b3a13a84c23b422939094cfbcde2f3df071a951f9605
SSDEEP

3072:1EA+AEZqewODWcC75vdGLZA/t++hIea4TErNJy3zhWN:X+fwODWIWTh+NQ3zhWN

Score

10^/10

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Targets

- Target
  
  8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45
- Size
  
  232KB
- MD5
  
  f6254a206b59207201f38f69fb018932
- SHA1
  
  4109d2edf584ce7f8104410eaa02ddae1aa37117
- SHA256
  
  8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45
- SHA512
  
  bf6ab8ed99b730a364affed3f341387d82a5fed4ae052f4e897726adae2e963182083a3ba6fa52dfa6f2bd9cc9c3b92643279f46bebf931288545938da5a01b6
- SSDEEP
  
  3072:aIGGLok59Gt+ECvLFwyvBnlS1g/tK8MJ2LJDhzLrcSb54VIcVTuh:TLoYC+rK+ztK8MY3bIr
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

xmrig

XMRig Miner payload

Creates new service(s)

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Checks computer location settings

Deletes itself

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2