General

  • Target

    NEAS.e9b08e0dd330ea6a2244220dc04f7dec992c83cba8ab1e60e165850d69f5e3e4.exe

  • Size

    272KB

  • Sample

    231107-aqke7agg31

  • MD5

    fee0ff5c08cfec7096612df413966b32

  • SHA1

    b50ea1884eb3192031eca229f3d3dc3334d82902

  • SHA256

    e9b08e0dd330ea6a2244220dc04f7dec992c83cba8ab1e60e165850d69f5e3e4

  • SHA512

    55ccede54df0f3e9c5f82b60b8a910e57737682b1413cfc842dc11c7054505dedaec478f082db35ab566d49a75ea13d787b53a2888f0332350207b1c661f8c0e

  • SSDEEP

    3072:2VX8hrkLdqiqKwK5u5gF8FHAbAM6A0gpVhP5VWZVnU+:+8xkLcPSu5C8JDM6AFP9WZ5

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.e9b08e0dd330ea6a2244220dc04f7dec992c83cba8ab1e60e165850d69f5e3e4.exe

    • Size

      272KB

    • MD5

      fee0ff5c08cfec7096612df413966b32

    • SHA1

      b50ea1884eb3192031eca229f3d3dc3334d82902

    • SHA256

      e9b08e0dd330ea6a2244220dc04f7dec992c83cba8ab1e60e165850d69f5e3e4

    • SHA512

      55ccede54df0f3e9c5f82b60b8a910e57737682b1413cfc842dc11c7054505dedaec478f082db35ab566d49a75ea13d787b53a2888f0332350207b1c661f8c0e

    • SSDEEP

      3072:2VX8hrkLdqiqKwK5u5gF8FHAbAM6A0gpVhP5VWZVnU+:+8xkLcPSu5C8JDM6AFP9WZ5

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks