General
-
Target
file.exe
-
Size
300KB
-
Sample
230206-zle3cafg99
-
MD5
8ba26140aec7702f27a18eb7e9238fe9
-
SHA1
3e5b466368a5077dc9b938ea45642331986f8827
-
SHA256
e764480dd6acba37e913e3e907d44f5f912c56c067caf5118101aaa12445bbbd
-
SHA512
eb48d8a92dd494fc421f42910f9185eae2464e97b1c2932f76aa97810dded8ae9f007e81ad5cdb43b58bd08509efa1e4c1b697f098008e1887086be37bbd5d79
-
SSDEEP
3072:CRwb6b2PyLhUGRG/ukjNP99fTP5YTt/BuQjiMTE5B5Eafj:Cy1PyLW1WkjNV9fL2TFBuQj9wEa
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Targets
-
-
Target
file.exe
-
Size
300KB
-
MD5
8ba26140aec7702f27a18eb7e9238fe9
-
SHA1
3e5b466368a5077dc9b938ea45642331986f8827
-
SHA256
e764480dd6acba37e913e3e907d44f5f912c56c067caf5118101aaa12445bbbd
-
SHA512
eb48d8a92dd494fc421f42910f9185eae2464e97b1c2932f76aa97810dded8ae9f007e81ad5cdb43b58bd08509efa1e4c1b697f098008e1887086be37bbd5d79
-
SSDEEP
3072:CRwb6b2PyLhUGRG/ukjNP99fTP5YTt/BuQjiMTE5B5Eafj:Cy1PyLW1WkjNV9fL2TFBuQj9wEa
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Privilege Escalation