General

  • Target

    NEAS.7291a205dba93db221ee6d6da61d00580f9ddbaf9424465522138b6cb1bbc1b7.exe

  • Size

    262KB

  • Sample

    231107-acjazaac25

  • MD5

    81f5904645e44483a57226ab60e0390b

  • SHA1

    0bd97534d23998b6d554b48bddd0015d199808ec

  • SHA256

    7291a205dba93db221ee6d6da61d00580f9ddbaf9424465522138b6cb1bbc1b7

  • SHA512

    5403b05a65105351fa5b6bc351b3613f930d16bbc0507045a340282029fdc688234fe3f92ef15fcdc9011650a3f96533f9254348bcf33159f381e8914abf281e

  • SSDEEP

    3072:pFzu3GMDmWLo3NrmuvLLCRpKbm/EJx9teHFKe0fk02q5XI7lVEaP:zzu2MqWLo9rmCXCR38biHF080VIjt

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.7291a205dba93db221ee6d6da61d00580f9ddbaf9424465522138b6cb1bbc1b7.exe

    • Size

      262KB

    • MD5

      81f5904645e44483a57226ab60e0390b

    • SHA1

      0bd97534d23998b6d554b48bddd0015d199808ec

    • SHA256

      7291a205dba93db221ee6d6da61d00580f9ddbaf9424465522138b6cb1bbc1b7

    • SHA512

      5403b05a65105351fa5b6bc351b3613f930d16bbc0507045a340282029fdc688234fe3f92ef15fcdc9011650a3f96533f9254348bcf33159f381e8914abf281e

    • SSDEEP

      3072:pFzu3GMDmWLo3NrmuvLLCRpKbm/EJx9teHFKe0fk02q5XI7lVEaP:zzu2MqWLo9rmCXCR38biHF080VIjt

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks