General
-
Target
de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.zip
-
Size
171KB
-
Sample
230502-2c27mach26
-
MD5
152b8ae828d76bbcc5d2ec3eb90a1609
-
SHA1
05427b59bc98ced3d6d40ebe06be016e9c128bd4
-
SHA256
b84918eb632e3519a9d4ca6634784d5923b9fb1d11f4dc634542f23d355d0b80
-
SHA512
b3260f44ec2dda16c06b1bf5af073c7d6bdfed77717cd252a44e6c887fa860a3675630e740dcbb8f821324b9dd5ac78c2a80842df64b40a3e05232710f3b4ede
-
SSDEEP
3072:Vi/YoiUKGHpRZPbIwpITqGcTvEQlOJk4FsPkklQJZYjaeD/nr:Vi/YolFp3bzpOKzEQlO6UKkpZU
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe
-
Size
302KB
-
MD5
c47f32f68a1ca3309768b48ec98cd752
-
SHA1
ab24f2d6a2cacd0b807b2a174e4c43e8d629b32e
-
SHA256
de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b
-
SHA512
747db0d277eac21cdb2f51862fe861e27b444bdae4ed08bcc92a92d27c75c6ee602723fa102a3501f980bea18bd2c9a500113c6e9cf42d752240e145b1bd610d
-
SSDEEP
3072:Muy7xHO5Ur+3sfGjmvp8hPdJidlfZl8ebAGMR5zODTKchd+OH:xy7xHvrmsejm6d2NZlDAGMHOKcv+y
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-