General

  • Target

    NEAS.4470acf5c0eef39191bafcdc34243ed0dc02d72f99ac148987b1eefdbd198adf.exe

  • Size

    254KB

  • Sample

    231106-114vpafg2z

  • MD5

    03b34511e2b93c772e8effc9f6ee7a88

  • SHA1

    cd0498093ce14b3c41b98b82d27e02906e756de8

  • SHA256

    4470acf5c0eef39191bafcdc34243ed0dc02d72f99ac148987b1eefdbd198adf

  • SHA512

    9acfe12a79febc08ed710b917daf18c066048b742c943a8137225320716cd289f39cf2f30c02424a2746675869156183671953b3aa9fc0a8a96004d1ed115cf4

  • SSDEEP

    3072:XFRLY++OCLyi6Q0YCJNspaJkGQq94IXkihxd79nD6zBgwoq5Xa2lVEf:VRLY+lCLyiWY27JkBq9Dhn72gCaGI

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.4470acf5c0eef39191bafcdc34243ed0dc02d72f99ac148987b1eefdbd198adf.exe

    • Size

      254KB

    • MD5

      03b34511e2b93c772e8effc9f6ee7a88

    • SHA1

      cd0498093ce14b3c41b98b82d27e02906e756de8

    • SHA256

      4470acf5c0eef39191bafcdc34243ed0dc02d72f99ac148987b1eefdbd198adf

    • SHA512

      9acfe12a79febc08ed710b917daf18c066048b742c943a8137225320716cd289f39cf2f30c02424a2746675869156183671953b3aa9fc0a8a96004d1ed115cf4

    • SSDEEP

      3072:XFRLY++OCLyi6Q0YCJNspaJkGQq94IXkihxd79nD6zBgwoq5Xa2lVEf:VRLY+lCLyiWY27JkBq9Dhn72gCaGI

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks