tofsee | 693fa2d6ef85683138941757f6f84984c5495c6c6157c72126803960f50e6071 | Triage

Submit
Reports

Overview

overview

Static

static

1

13b61045b9...10.exe

windows7-x64

13b61045b9...10.exe

windows10-2004-x64

Sharing

General

Target

13b61045b92866c3ab14e075ea80fa6c4e63ef3e22eb582bf542cbfb2ae6f610.zip
Size

203KB
Sample

230417-wmp26ahb6t
MD5

9ed236a8f5df62bafdb87d73e50ce47f
SHA1

9308530250ed235c2bee899792e03b31f91bef2f
SHA256

693fa2d6ef85683138941757f6f84984c5495c6c6157c72126803960f50e6071
SHA512

e8ca04b3bb1bc9784e622c5abf59304c74b6aeb8f6d89be4ea732c679f1e1ea633690a04942d9d7d1fa20d5bcb6cee8e836aa3ab7efd89da9ee315ea6b6841b5
SSDEEP

6144:OZTOXuM7YODxCxTM1whuUkKj1vcoOxlY1w:OZRM7YOc1Tz1v5Ocw

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

13b61045b92866c3ab14e075ea80fa6c4e63ef3e22eb582bf542cbfb2ae6f610.exe

Resource

win7-20230220-en

tofsee xmrig evasion miner persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

13b61045b92866c3ab14e075ea80fa6c4e63ef3e22eb582bf542cbfb2ae6f610.exe

Resource

win10v2004-20230220-en

tofsee xmrig evasion miner persistence trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  13b61045b92866c3ab14e075ea80fa6c4e63ef3e22eb582bf542cbfb2ae6f610.exe
- Size
  
  351KB
- MD5
  
  4a18a94055dba3c5ad2fa1a10582eec3
- SHA1
  
  fc0c32941f69383c2ab6ae53af514331fe68af84
- SHA256
  
  13b61045b92866c3ab14e075ea80fa6c4e63ef3e22eb582bf542cbfb2ae6f610
- SHA512
  
  5bf4346b3fce12a314f6327f840d88e2ea1d7f00c5fecb7f2b14d2eb69a447008bccc52508728791a7a8eaecccfa0b99fe51c032875e18adc64a212434e5fbf4
- SSDEEP
  
  6144:aVvvhSKsCU9XmGm0kn0MM7FOmSafuzq+7XUBybbCt:aVvkKsFMGm0k0MM7lSqutDUub
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy