General

  • Target

    file.exe

  • Size

    256KB

  • Sample

    231106-radq5sbe8x

  • MD5

    94a63411716991d1482cc6f34f8dd798

  • SHA1

    1138e285ad1b5d39cc038a857c096544547783e3

  • SHA256

    17b60ee2f89777c9dc8694d8098f7082590633459075bbed7108b578449a3c72

  • SHA512

    5740be4caf1266ecf6e27032b0db7545948e92e8c4d9b2fe84805bef044db30356fe8ee1d8bd35e73b40325eb944251dfe1ce12ddbdc3bb2f08e1b3d05652334

  • SSDEEP

    3072:s6zOCAjl7dCU+R39XFkH6xwYigUrJopWco2o0W5BTrL8i6GOa0yLe7oGOUZ:s6al7dZ+nGH6xtLp/o2sPL8i6G0yK7o

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      256KB

    • MD5

      94a63411716991d1482cc6f34f8dd798

    • SHA1

      1138e285ad1b5d39cc038a857c096544547783e3

    • SHA256

      17b60ee2f89777c9dc8694d8098f7082590633459075bbed7108b578449a3c72

    • SHA512

      5740be4caf1266ecf6e27032b0db7545948e92e8c4d9b2fe84805bef044db30356fe8ee1d8bd35e73b40325eb944251dfe1ce12ddbdc3bb2f08e1b3d05652334

    • SSDEEP

      3072:s6zOCAjl7dCU+R39XFkH6xwYigUrJopWco2o0W5BTrL8i6GOa0yLe7oGOUZ:s6al7dZ+nGH6xtLp/o2sPL8i6G0yK7o

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks