tofsee | 577f7a89f71c92f7aa26e8edac4ba449327b75251b4aef85861d0fab35e3d7f5 | Triage

Submit
Reports

Overview

overview

Static

static

3

file.exe

windows7-x64

file.exe

windows10-2004-x64

Sharing

General

Target

file
Size

294KB
Sample

231011-aq6y7ahc81
MD5

a8585854c7a75192794f345a352c62eb
SHA1

84e1c2d35214090bfbd91d5d20d23c5a787beb45
SHA256

577f7a89f71c92f7aa26e8edac4ba449327b75251b4aef85861d0fab35e3d7f5
SHA512

7db0cecd08e50b08bcd9b1c9fd66060835bebe4e99534d1261813ce3cc74d7acfdbf1f10b86fff4eb2c00dfb6f7160d2600fb44bd75e52198cdc2ee71bb7375a
SSDEEP

3072:Gyv5Sfz6m3uahPDRQLptm4Gvq4cS+oiCHbqdCLO30:xwfz6aPD2LptHaq5S+OHbqSO

Score

10^/10

tofsee xmrig evasion miner persistence trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

file.exe

Resource

win7-20230831-en

tofsee xmrig evasion miner persistence trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

file.exe

Resource

win10v2004-20230915-en

tofsee evasion persistence trojan

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

- Target
  
  file
- Size
  
  294KB
- MD5
  
  a8585854c7a75192794f345a352c62eb
- SHA1
  
  84e1c2d35214090bfbd91d5d20d23c5a787beb45
- SHA256
  
  577f7a89f71c92f7aa26e8edac4ba449327b75251b4aef85861d0fab35e3d7f5
- SHA512
  
  7db0cecd08e50b08bcd9b1c9fd66060835bebe4e99534d1261813ce3cc74d7acfdbf1f10b86fff4eb2c00dfb6f7160d2600fb44bd75e52198cdc2ee71bb7375a
- SSDEEP
  
  3072:Gyv5Sfz6m3uahPDRQLptm4Gvq4cS+oiCHbqdCLO30:xwfz6aPD2LptHaq5S+OHbqSO
Score

10^/10

tofsee xmrig evasion miner persistence trojan
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

tofseexmrigevasionminerpersistencetrojan

behavioral2

tofseeevasionpersistencetrojan

© 2018-2024

Terms | Privacy