Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    file.exe

  • Size

    385KB

  • Sample

    230210-yx89wsad6s

  • MD5

    ba2cc72879e8642a04545a795cf2c154

  • SHA1

    f0b9d522c0f6ab5eba74825d89c8c9a01ebc4202

  • SHA256

    f2dc9e5e517f8be39cde8bb164f2d9ed51c814f6584511e996940f4746a874f6

  • SHA512

    4e80c171ab5ed6aa2ba12a20dc9bca8d32768c10c0c1334f79df6b4203c9ebdf8ab85ec914da509d0da1d4f5dea4d7265d0acbd03749be5fe57b999c222c1bc9

  • SSDEEP

    3072:xr8AV4Mha55dPRY9UWprNBSBajLjyVXl9nf6N58IUZK2UU7:dQ3h6qOqasXTnfW53AK

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      385KB

    • MD5

      ba2cc72879e8642a04545a795cf2c154

    • SHA1

      f0b9d522c0f6ab5eba74825d89c8c9a01ebc4202

    • SHA256

      f2dc9e5e517f8be39cde8bb164f2d9ed51c814f6584511e996940f4746a874f6

    • SHA512

      4e80c171ab5ed6aa2ba12a20dc9bca8d32768c10c0c1334f79df6b4203c9ebdf8ab85ec914da509d0da1d4f5dea4d7265d0acbd03749be5fe57b999c222c1bc9

    • SSDEEP

      3072:xr8AV4Mha55dPRY9UWprNBSBajLjyVXl9nf6N58IUZK2UU7:dQ3h6qOqasXTnfW53AK

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks