tofsee | 3799d9bdef68c2a7a47a2e6c0b73e804a09841c9b8f1a4ff433a1ea9ca69c217 | Triage

Submit
Reports

Overview

overview

Static

static

1

da9e1000fe...1f.exe

windows7-x64

da9e1000fe...1f.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

491f10bcc9d547a9816a6e3147368a5f.bin
Size

129KB
Sample

230211-bk7h7she69
MD5

da6e4e49882eb9fe6c12e1501a50e0bb
SHA1

228c3e029d389e785fe05687c82a391fe32c199e
SHA256

3799d9bdef68c2a7a47a2e6c0b73e804a09841c9b8f1a4ff433a1ea9ca69c217
SHA512

a5e8f70abece4e980d0bb5d87bbb28bd8a6dce8e212cadbb2fb4546401a6f6d1637869f2fd0baa00a497b19c40376b26da56e0d10a40b2bf7e62a8188fddbb10
SSDEEP

3072:KyabQoYnNlOGR3f9jSr63nr3dRq6g23cHhmo+k8d49wAIgVY:TLHR31+anTjq6g23cHhF+k8+SVgC

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

da9e1000fee01c6781ed0a7e5202d1445e734ae5ac39fbb3af2d0a272451731f.exe

Resource

win7-20220812-en

tofsee xmrig evasion miner persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

da9e1000fee01c6781ed0a7e5202d1445e734ae5ac39fbb3af2d0a272451731f.exe

Resource

win10v2004-20221111-en

tofsee evasion persistence trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

- Target
  
  da9e1000fee01c6781ed0a7e5202d1445e734ae5ac39fbb3af2d0a272451731f.exe
- Size
  
  185KB
- MD5
  
  491f10bcc9d547a9816a6e3147368a5f
- SHA1
  
  f36a1451152c3be82e38efbc6dfdb71ec7f0942f
- SHA256
  
  da9e1000fee01c6781ed0a7e5202d1445e734ae5ac39fbb3af2d0a272451731f
- SHA512
  
  566705814c5cb0631e5d3556a8380c317099f66d76a1ef4fccbe3712994314df453c41e8ad7b1fff2b8b1063c3f87d73853231a930f44fe0102cea8b44c83961
- SSDEEP
  
  3072:2Fg4HIK9Pilrss8ix9RJaMi4jrW/fTVUWNm+GIAsVBylcku:2F3rRjs5x9Rdji/fTVvPNVIl
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan

© 2018-2025

Terms | Privacy