Overview

overview

10

Static

static

3

0967dfa48b...12.exe

windows7-x64

10

0967dfa48b...12.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b101be318ab44ddbbabf025ef02e9a29.bin

  • Size

    182KB

  • Sample

    230513-b1ztashc61

  • MD5

    a3d08dae5df7b6a8511454cda116a185

  • SHA1

    1ce0a4c1692b618cd038d781f503f8b77cdc1f32

  • SHA256

    6838dc249ad16a62aa7dded33837e4f04a3467359f7d571a0c4e59e963b6eea2

  • SHA512

    d836cca64cd8df51918a74fee9e1236b5a5a428394bd7f07fb3ab8ed102132c32828fe403da6913f8032828e9e8184dfd03c6c10d9e0fece8de9d0895304acc9

  • SSDEEP

    3072:+KfeL4Zq1yZ8oZLxnWfty+3Y4e9KWXChYvPt+LEyRm4C0wxqg5FUg:d1c46tyIY40XFPkRRmv0wBFr

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612.exe

    • Size

      318KB

    • MD5

      b101be318ab44ddbbabf025ef02e9a29

    • SHA1

      0e3d67a5c6f97f6f1d23a9540336b3ded4eaa13f

    • SHA256

      0967dfa48bd1d2d0e282f762e9be80315cc6ea75b6e1b34d73f066c47ab46612

    • SHA512

      79533d9d92770221a5631f942d48f893ec5cf0d3c8af899465b2cc4b4b92da5c3787cc65425c34d026fcb646b08348dd68ec14a3c9f56cdd914591594f8aa001

    • SSDEEP

      3072:TpXtNfDL3hmn5585BYMpYEvLDWPS5Z2wg3z2zxBUb5EpMYNY0lKRfeJ:RnLL3h45VMpYi2czjlpxPcQJ

    Score
    10/10
    tofseeevasionpersistencetrojanxmrigminer

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Windows security bypass

      evasiontrojan

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks