tofsee | ea0c3ddb08008105c71f75d74327f543f3072ac1efed5a4e972c3b80d476bcbd | Triage

Submit
Reports

Overview

overview

Static

static

3

e3ffa663ee...8f.exe

windows7-x64

e3ffa663ee...8f.exe

windows10-2004-x64

Sharing

General

Target

e3ffa663eeaa0eeda2b5cb06d094cb847f6520df57385c5d7fe5e49d01c99c8f.zip
Size

171KB
Sample

230502-2c9ayaee91
MD5

4d0089a457bbab2ed95beadc31c0a4a0
SHA1

017ab5ff588c496b985df42ce9a8ce0ea3bffa70
SHA256

ea0c3ddb08008105c71f75d74327f543f3072ac1efed5a4e972c3b80d476bcbd
SHA512

b4e9e6cafa228598e130798b9f5d132c48456d20b7649b1be12bbfe4497961efd07252fccc5d443cfa4ba3922dd87eeec2e81812baeec068fa0a1d9699905bf3
SSDEEP

3072:1I+EbrJTGmHkfV8paY2VsGEJmdVSWi6dVnme8mkJ4j5VrscABP:dEpVEfyU/V1PdVSR6PmemefNA

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e3ffa663eeaa0eeda2b5cb06d094cb847f6520df57385c5d7fe5e49d01c99c8f.exe

Resource

win7-20230220-en

tofsee xmrig evasion miner persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

e3ffa663eeaa0eeda2b5cb06d094cb847f6520df57385c5d7fe5e49d01c99c8f.exe

Resource

win10v2004-20230220-en

tofsee xmrig evasion miner persistence trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  e3ffa663eeaa0eeda2b5cb06d094cb847f6520df57385c5d7fe5e49d01c99c8f.exe
- Size
  
  303KB
- MD5
  
  531df55984e2b66ad9f0dbd639de601e
- SHA1
  
  dc9d0df60d45c19e668e99a39946d1d39a5d9a09
- SHA256
  
  e3ffa663eeaa0eeda2b5cb06d094cb847f6520df57385c5d7fe5e49d01c99c8f
- SHA512
  
  1a2029171755e8c7f4f374af5544eef317a0d1635272991b7535f4406a99b4ef5d70985602fd85c8b9eb40de2215c81be496157821f78a013cea74ad2848e72b
- SSDEEP
  
  3072:MuFL7HO/Wc2L/rIUpqfM/FqdAt/XOM5TJDTnmhd+:xFL7HQ2LrI7fg2AtXJnmv+
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

New Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy