General

  • Target

    03b34511e2b93c772e8effc9f6ee7a88.bin

  • Size

    160KB

  • Sample

    231107-bdd83sag77

  • MD5

    69e1402ce315f20bddbe49afd2797131

  • SHA1

    5ab0ea9764b1de651135f5e7dcad7b4e4d1fa4c2

  • SHA256

    bf344d1bfe3e7a666253f21fde6949b2a0692170ae90f8b3a26e0504d4909b3b

  • SHA512

    be88bd4c3790ef3354368b642e95974249edfc4e100439054f23c9f06acd39bc8de12480775c20feb0e9ba20798c456fa2ffa8d1e8d6d00454593772db4bbea9

  • SSDEEP

    3072:tj6Q/m4d7Urn1WqajZdj31kW2Sb/6NXWVEapUGzwiVghYUK:hQ50jHjWW2BpWq7iuh1K

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      4470acf5c0eef39191bafcdc34243ed0dc02d72f99ac148987b1eefdbd198adf.exe

    • Size

      254KB

    • MD5

      03b34511e2b93c772e8effc9f6ee7a88

    • SHA1

      cd0498093ce14b3c41b98b82d27e02906e756de8

    • SHA256

      4470acf5c0eef39191bafcdc34243ed0dc02d72f99ac148987b1eefdbd198adf

    • SHA512

      9acfe12a79febc08ed710b917daf18c066048b742c943a8137225320716cd289f39cf2f30c02424a2746675869156183671953b3aa9fc0a8a96004d1ed115cf4

    • SSDEEP

      3072:XFRLY++OCLyi6Q0YCJNspaJkGQq94IXkihxd79nD6zBgwoq5Xa2lVEf:VRLY+lCLyiWY27JkBq9Dhn72gCaGI

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks