General
-
Target
file
-
Size
320KB
-
Sample
230206-tm2d3seg58
-
MD5
2a9f1a6f6f5102b53fbafbeca0ebc1a7
-
SHA1
7e9d0eeaf3cba6b9fe49a7cde5fc60791b935bcf
-
SHA256
5ab363da467713750238499b00e0acdbffd91ace0c10649cb17b4b244ae0ab3f
-
SHA512
6ef2e9d0e2ca905371aee62be69e985ad6197313b64c775f152ea2c64911bdb19c5c3384faa3848327ed668c3fde29e30566cbce53b50da4751ad30a5577a923
-
SSDEEP
3072:JGz4wiIL5Aw2R6E4jDAoBu15trOFR7wBjBP93gTW3YvjC1//+sxA7rztLzMsj:WNLywJE4q5tr+wabvjClRk9Ltj
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
file
-
Size
320KB
-
MD5
2a9f1a6f6f5102b53fbafbeca0ebc1a7
-
SHA1
7e9d0eeaf3cba6b9fe49a7cde5fc60791b935bcf
-
SHA256
5ab363da467713750238499b00e0acdbffd91ace0c10649cb17b4b244ae0ab3f
-
SHA512
6ef2e9d0e2ca905371aee62be69e985ad6197313b64c775f152ea2c64911bdb19c5c3384faa3848327ed668c3fde29e30566cbce53b50da4751ad30a5577a923
-
SSDEEP
3072:JGz4wiIL5Aw2R6E4jDAoBu15trOFR7wBjBP93gTW3YvjC1//+sxA7rztLzMsj:WNLywJE4q5tr+wabvjClRk9Ltj
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-