General
-
Target
f8df432779abcda0e118d44dc6dde5c7.bin
-
Size
142KB
-
Sample
230517-ccdrladd66
-
MD5
7b577303d43c718237af3551eddb53c2
-
SHA1
a139f435990e64f141f50689aeca4b8c748eff0d
-
SHA256
aa3d3a4c3cd6b8252708a6dd548b45ff2586420ea6a995ada9ff6990788b141a
-
SHA512
a19cca5a0ff2d6e52e75af91d5b5c882cd9f180349f9829b99e559d9c8be8a50911090eb85bbb4da0a7a1726e8a3ee96e9d1e292172fbc52470f62e36d175cb4
-
SSDEEP
3072:npYZCiGTfvUYwcR4oVqPJ9eMPs9vhiyKpw2eYUjX19ARAkHDzycuu:pYgfc5Xoszt0JYygw2eYG9ANxp
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
668a73171bcfb225ce6748ef6108fa8bf9b02befb5ba5f392cdcff67926d78a2.exe
-
Size
234KB
-
MD5
f8df432779abcda0e118d44dc6dde5c7
-
SHA1
2574314f96737d4a909246b06f6d0904b1b0e6f6
-
SHA256
668a73171bcfb225ce6748ef6108fa8bf9b02befb5ba5f392cdcff67926d78a2
-
SHA512
43974649ae90e164b8a17288c8c8b249dcdbac0a0c4fc9cdac70edbea455f880be7642e03c33e882e3a0bfaeccca46636398a604867451be52e059fc5fb1e75f
-
SSDEEP
3072:5fPQrqA+LychM1+ziXtcsM/RHbyp+EpsVNg0cqF2Oq5pqIyYnAZ81MZ:mE1MOYcb/jxBUOqptZnAa1MZ
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-