General
-
Target
652f00b6afd02c149a52a299ee2d2455.bin
-
Size
128KB
-
Sample
231024-b4vczsbf26
-
MD5
e35cff76eb1fd34b2e1e9681f3454a07
-
SHA1
9acadb65f7cca5edf75c17876955cbfd77c8322e
-
SHA256
e3457924da8f9ad08b327e53239ef3f360f85019d638426e5a542ba1ffc5e60d
-
SHA512
f574a20bc886f38c72c9682e34e8fd780ab3447db13aa8aa9486fb1a44d3a0f13406ed5b5f90745cc70bc65fa09ce7e99fe3017d87133ec174835db93a67cadb
-
SSDEEP
3072:P025p3AJF1ClnDRw5pnCe7HxuRF/FWxeqTqhRKIwWP+ZZFqk:sQ3YkDRw5pnHxUz8fZ9w+kk
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Targets
-
-
Target
1a9f34a4410437ddb1a2d8051099d92990751e9743b1b1a4d909fa0113da0e07.exe
-
Size
179KB
-
MD5
652f00b6afd02c149a52a299ee2d2455
-
SHA1
dfc353413a54c37aeb1a190bdacae61c19e2e63d
-
SHA256
1a9f34a4410437ddb1a2d8051099d92990751e9743b1b1a4d909fa0113da0e07
-
SHA512
28c7a881bb6b0f072ca8bcd41276f978f9dbaada71ff12e1d0b66c903a17c58a9c00e4d6c115a5de285238b2b9790da4e82554fec82ba88bd6d0943171bd0d1f
-
SSDEEP
3072:cyBNbfgueA8c9TnxCBqKbWQeev6sMODgeP9NUU7qQPoxdc30YbQBX:/uTA8oTnYMKbWQ35MOc6cUKdCz
Score10/10-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Creates new service(s)
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2