Resubmissions

08-05-2023 12:04

230508-n83alscc6v 10

14-02-2023 12:24

230214-pljenacf6s 1

14-02-2023 12:00

230214-n6rq4adb47 10

14-02-2023 11:52

230214-n1s2zace3s 10

24-01-2023 09:45

230124-lrfn6sad97 10

General

  • Target

    8843202280.zip

  • Size

    139KB

  • Sample

    230508-n83alscc6v

  • MD5

    40e3640ea2cd1731cb3c265e1ca80c94

  • SHA1

    9c90da2647d02351c90247cf9fde770096a37e0d

  • SHA256

    e601e2249d2ed99e05552157a32aa73fb476f2b55bb63d10f9a3405d8269c693

  • SHA512

    19993b49f291108288d6cd8bfca2f48a90e88487c7475019cc993d36e814e0aaf53a745646adc0970f03b3a13a84c23b422939094cfbcde2f3df071a951f9605

  • SSDEEP

    3072:1EA+AEZqewODWcC75vdGLZA/t++hIea4TErNJy3zhWN:X+fwODWIWTh+NQ3zhWN

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Targets

    • Target

      8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45

    • Size

      232KB

    • MD5

      f6254a206b59207201f38f69fb018932

    • SHA1

      4109d2edf584ce7f8104410eaa02ddae1aa37117

    • SHA256

      8bfa1accffb316ba6411badba264e55b04bbe73ec58c79e85f7e523bf1ecdc45

    • SHA512

      bf6ab8ed99b730a364affed3f341387d82a5fed4ae052f4e897726adae2e963182083a3ba6fa52dfa6f2bd9cc9c3b92643279f46bebf931288545938da5a01b6

    • SSDEEP

      3072:aIGGLok59Gt+ECvLFwyvBnlS1g/tK8MJ2LJDhzLrcSb54VIcVTuh:TLoYC+rK+ztK8MY3bIr

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks