General

  • Target

    7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.zip

  • Size

    164KB

  • Sample

    231119-1ah6asce7z

  • MD5

    5e300db537d71b26630d1a3588e0c6c7

  • SHA1

    dc3b44a5e8e3d1059322b3a78c3cf64181612348

  • SHA256

    52a6136eafaa474e442adec1f75f3a82b66fb0ba1101bfa1f55348c39ec2abb8

  • SHA512

    893edcf8b0490d3f163e502cfbc9fbbe9e0b65c42385d6f7b42f8997f7018a164de8295e22b81b7b27a65197f1b14e84730fa7214fc1c83149ec4b84b67ef8e2

  • SSDEEP

    3072:lPHA5UGI9fjPoklZVYW//Xpfog3MENejl6Z/rkJexG7ry/X:lUreTNmw1og3MPjl6ZAIxG6f

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe

    • Size

      254KB

    • MD5

      02ac11d7691ed7141949fc5c03d5aae8

    • SHA1

      b122e23b4dfb29d4efedbbe7a72c75d696f8a7ac

    • SHA256

      7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee

    • SHA512

      c437f0cec3cbe5a62a650cafd0814016864c083a2df5a65000d0411b8249daec0744b7c948039a97848135a263ba183a9cb00876fbc3d22ee1e8322dfda0e55e

    • SSDEEP

      3072:M9xGAh803FPqB1HzqotaoQpxVKPk4hjw6EX7eUkpvTRSdnbr4rO/p/4CY/:w/8iYlAxVKMuELrdnbr4yG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks