tofsee | 6989520bc009b96f7023447c961deb13cf6f5fa915c8e72ec05e14a1ef00ba7c | Triage

Submit
Reports

Overview

overview

Static

static

3

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file.exe
Size

264KB
Sample

230515-rjy4faeb8s
MD5

d09b253fe63c553f18390c64fae241b2
SHA1

59462f514478528abce4ba8071475cd7eed4f518
SHA256

6989520bc009b96f7023447c961deb13cf6f5fa915c8e72ec05e14a1ef00ba7c
SHA512

315ba07bbd61fe27533fcb2657ff7cc4b8b7d1bf090377f815fe2dddb8029875c746ab540261f0d3ad411f0193703b4d2b2e1859b05ba9c5e132fb649d39108e
SSDEEP

3072:bp41b88SQkCni4itSJrc9WFHzO5t0e6LE483cZScA3Q3gORWz+7sLC44mKPl2yC:s5SHSJA9UHwSe6a3Rw3AmpY7MZ

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230220-en

tofsee xmrig evasion miner persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230221-en

tofsee xmrig evasion miner persistence trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  file.exe
- Size
  
  264KB
- MD5
  
  d09b253fe63c553f18390c64fae241b2
- SHA1
  
  59462f514478528abce4ba8071475cd7eed4f518
- SHA256
  
  6989520bc009b96f7023447c961deb13cf6f5fa915c8e72ec05e14a1ef00ba7c
- SHA512
  
  315ba07bbd61fe27533fcb2657ff7cc4b8b7d1bf090377f815fe2dddb8029875c746ab540261f0d3ad411f0193703b4d2b2e1859b05ba9c5e132fb649d39108e
- SSDEEP
  
  3072:bp41b88SQkCni4itSJrc9WFHzO5t0e6LE483cZScA3Q3gORWz+7sLC44mKPl2yC:s5SHSJA9UHwSe6a3Rw3AmpY7MZ
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy