General

  • Target

    306b52b0288f8636b145c12e1594b4d5.bin

  • Size

    175KB

  • Sample

    231027-bqbnqaag5x

  • MD5

    0a8118f651338ca927a2c09c58319b7e

  • SHA1

    81e03f52ddc0f637635cbd76fc3fe8ea5ae90df6

  • SHA256

    b530a06092497e946b59fe69795193255fddbc4d0e6d6d1e98df8258dfcd7d25

  • SHA512

    73d9aefd91a701ad8c6c56144fba116c5d13a577731299973fb1c4eed670d5bac46594b795aafd6b487252718298242024ab52b9db44460e2220c80a40eae737

  • SSDEEP

    3072:WHq7WJW7r3I4h1TKBbfKr4ci5Hr530QWufRvF7Dthdqc+8nwY1wMqLdmfCAgHi7E:FYWc115F3VLJRthdqc+c1w/dgC3Hi73U

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      a4dee314bf550ed83a5be294c6acbea200fb4665c684ae5f842c29ba3233e307.exe

    • Size

      291KB

    • MD5

      306b52b0288f8636b145c12e1594b4d5

    • SHA1

      3b11ac9361a3ab7ab9cc4729c8cb0392a0d8fdaa

    • SHA256

      a4dee314bf550ed83a5be294c6acbea200fb4665c684ae5f842c29ba3233e307

    • SHA512

      2b1911749d49ce8155289707baf1560f0a817cacd8f0136acc97b86abfa8fc9ee3b548d4817a10973fcc71991f5280028e3e8e3f0c91ac45932c64057b03dcc5

    • SSDEEP

      6144:KVHVEqQqdL7N9FX0FcOcmy46B5ihS4pe5:KoHqdPHFfOcHr/So

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks