Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    299KB

  • Sample

    230207-b2y86agh85

  • MD5

    554879592dac3efc1711fab6d3af54ea

  • SHA1

    e26c2828e08ac6f03f3061bdb22505bbcb41c99d

  • SHA256

    cf08cb921f0bfdf2876df5f4691b06233515e150be0456b7d3ee5dee5e9d55e4

  • SHA512

    f05f5d6fa132cc0180d3ee35d77ff1671c1ffde11b084fb9fa47592f7a20fe7c2b9fea2775286027b4c76bf4473e992c274743000f622b1b06f57eb9d5783151

  • SSDEEP

    6144:nW/LvlQkaDpjZ+mg5exp7sCkuQj9+Rrga:W/LS3Dpd+mp5klj2U

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      299KB

    • MD5

      554879592dac3efc1711fab6d3af54ea

    • SHA1

      e26c2828e08ac6f03f3061bdb22505bbcb41c99d

    • SHA256

      cf08cb921f0bfdf2876df5f4691b06233515e150be0456b7d3ee5dee5e9d55e4

    • SHA512

      f05f5d6fa132cc0180d3ee35d77ff1671c1ffde11b084fb9fa47592f7a20fe7c2b9fea2775286027b4c76bf4473e992c274743000f622b1b06f57eb9d5783151

    • SSDEEP

      6144:nW/LvlQkaDpjZ+mg5exp7sCkuQj9+Rrga:W/LS3Dpd+mp5klj2U

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.