General

  • Target

    file.exe

  • Size

    257KB

  • Sample

    231119-se1l5sbd3w

  • MD5

    8236b680d9c9e22e2888f06630f1605f

  • SHA1

    16d395b61b578c49bbc94daa6e57e78394af20ea

  • SHA256

    5edd21bf37afaa60ad092deb91977372ad05a64e9f3de9857641696c2e97cac0

  • SHA512

    c97835b3f118c78b23917affc922b3e8c725e62fadefc848dae228d13cb46b09d2e6c03945369bf44852ddd210fa7cd769918bf15b0256a447c31dbb1419208a

  • SSDEEP

    3072:uP0wZ4/vqpVJ+XYYnyeA6wvQMWcGLG4SEVjXRBX7ovb1Yj:EoGYXYYnyeA7IMWcGLFV7LM

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      257KB

    • MD5

      8236b680d9c9e22e2888f06630f1605f

    • SHA1

      16d395b61b578c49bbc94daa6e57e78394af20ea

    • SHA256

      5edd21bf37afaa60ad092deb91977372ad05a64e9f3de9857641696c2e97cac0

    • SHA512

      c97835b3f118c78b23917affc922b3e8c725e62fadefc848dae228d13cb46b09d2e6c03945369bf44852ddd210fa7cd769918bf15b0256a447c31dbb1419208a

    • SSDEEP

      3072:uP0wZ4/vqpVJ+XYYnyeA6wvQMWcGLG4SEVjXRBX7ovb1Yj:EoGYXYYnyeA7IMWcGLFV7LM

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks