General

  • Target

    NEAS.49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07.exe

  • Size

    259KB

  • Sample

    231106-3z5rpsab58

  • MD5

    52bfbbeea419b32453306fbe9978576a

  • SHA1

    a357439bd75ddf0f398d002cbb04e41182c225e5

  • SHA256

    49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07

  • SHA512

    a3419cefc4eae81026b514156b81a979eae42934d7c80b5c1c733efa9143b5b637412bdcf2b33ca330de3b1a0c0221e7340799b8b00883149951ab47110ff8a2

  • SSDEEP

    3072:kVX+o2rgL565qeKPYBMaSTC4KGBQoHt7Erjazbach5lh60keCUj:8+7gLYUFYBDRuUjazb5h6TM

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07.exe

    • Size

      259KB

    • MD5

      52bfbbeea419b32453306fbe9978576a

    • SHA1

      a357439bd75ddf0f398d002cbb04e41182c225e5

    • SHA256

      49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07

    • SHA512

      a3419cefc4eae81026b514156b81a979eae42934d7c80b5c1c733efa9143b5b637412bdcf2b33ca330de3b1a0c0221e7340799b8b00883149951ab47110ff8a2

    • SSDEEP

      3072:kVX+o2rgL565qeKPYBMaSTC4KGBQoHt7Erjazbach5lh60keCUj:8+7gLYUFYBDRuUjazb5h6TM

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks