General
-
Target
0a92ddabee8fc6fc69b3999f21249e4acdd592d71a6a3bba5fc8190a5751514f
-
Size
10.2MB
-
Sample
230609-mrz89acf8w
-
MD5
533c57dda4dba8ea23650d642ebbfd41
-
SHA1
d11daa23ca404b163d04dade2c22d320a18fb098
-
SHA256
0a92ddabee8fc6fc69b3999f21249e4acdd592d71a6a3bba5fc8190a5751514f
-
SHA512
5198545f3395d58ac8fccbad2bd924d519dbcdce7177598828384052b6e964108a01bc1e89ace8118ff80e0906f1d252d214b0a1430fa1e62994ff1063915db6
-
SSDEEP
49152:RHdOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOW:
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
0a92ddabee8fc6fc69b3999f21249e4acdd592d71a6a3bba5fc8190a5751514f
-
Size
10.2MB
-
MD5
533c57dda4dba8ea23650d642ebbfd41
-
SHA1
d11daa23ca404b163d04dade2c22d320a18fb098
-
SHA256
0a92ddabee8fc6fc69b3999f21249e4acdd592d71a6a3bba5fc8190a5751514f
-
SHA512
5198545f3395d58ac8fccbad2bd924d519dbcdce7177598828384052b6e964108a01bc1e89ace8118ff80e0906f1d252d214b0a1430fa1e62994ff1063915db6
-
SSDEEP
49152:RHdOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOW:
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-