tofsee | bdb1300eaa48c72e69b79d88bc6c877d26fd770fbd3a95c7684ecca4795e7b53 | Triage

Submit
Reports

Overview

overview

Static

static

3

531c2ef448...8e.exe

windows7-x64

531c2ef448...8e.exe

windows10-2004-x64

Sharing

General

Target

531c2ef448a0a783616805d90baa648e.exe
Size

233KB
Sample

230526-jjnnpsfa3v
MD5

531c2ef448a0a783616805d90baa648e
SHA1

930ac8c50ef9b89cfb090925a6606ed38e16f3f4
SHA256

bdb1300eaa48c72e69b79d88bc6c877d26fd770fbd3a95c7684ecca4795e7b53
SHA512

07d92e128846b552ef3694f1a3c085c97564439429a485ae5555d073197df7a68827fd5a84447ee8f81d06d6d861faa68601c763bd3c9fb048e100e2f16e74f6
SSDEEP

3072:8kIlnYvQUkT2ynW7pWoxOxT+DmhtfNlc07j7AoxQTdVWfWS2X9Zo/D:T+wsMxO9+DwNq07n7QTjWfWNLo7

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

531c2ef448a0a783616805d90baa648e.exe

Resource

win7-20230220-en

tofsee xmrig evasion miner persistence trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

531c2ef448a0a783616805d90baa648e.exe

Resource

win10v2004-20230220-en

tofsee xmrig evasion miner persistence trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  531c2ef448a0a783616805d90baa648e.exe
- Size
  
  233KB
- MD5
  
  531c2ef448a0a783616805d90baa648e
- SHA1
  
  930ac8c50ef9b89cfb090925a6606ed38e16f3f4
- SHA256
  
  bdb1300eaa48c72e69b79d88bc6c877d26fd770fbd3a95c7684ecca4795e7b53
- SHA512
  
  07d92e128846b552ef3694f1a3c085c97564439429a485ae5555d073197df7a68827fd5a84447ee8f81d06d6d861faa68601c763bd3c9fb048e100e2f16e74f6
- SSDEEP
  
  3072:8kIlnYvQUkT2ynW7pWoxOxT+DmhtfNlc07j7AoxQTdVWfWS2X9Zo/D:T+wsMxO9+DwNq07n7QTjWfWNLo7
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

New Service

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

tofseexmrigevasionminerpersistencetrojan

© 2018-2024

Terms | Privacy