General

  • Target

    21c38ebbea03aa2ddce570a40ebcbf10217b80b9dde4924ce7119fb13d260edb.zip

  • Size

    177KB

  • Sample

    231119-z4c1psbf59

  • MD5

    85e2d7415b9cb78b607bcb45867f1070

  • SHA1

    28f7835cb4960bf3305d25a1a3294d0a20932776

  • SHA256

    8673677a6dad0f1e87e0a759df26831fd2f3249c8e68e8e0709edcc9295f18cb

  • SHA512

    15d1e3bcbf4cf0fc7cb55fbde4a16b437d427c1c16f39dffd87e3654d3220c139894accfecd7e2ffebcbb8c6bc140697c1589fe425caf581b333ff463cabd7e1

  • SSDEEP

    3072:KP0KEIRvs8jON857go/zHYKrSSE2/T0ty8kcXhY/SGlEqoVkCo9fD12X:cVm8Qnaeg/TVaQSGGuCss

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      21c38ebbea03aa2ddce570a40ebcbf10217b80b9dde4924ce7119fb13d260edb.exe

    • Size

      329KB

    • MD5

      c5acf32a68fc55104b5dafc61245bab4

    • SHA1

      8a1d49efbb20a987cd87d227c4c4016a36c76afb

    • SHA256

      21c38ebbea03aa2ddce570a40ebcbf10217b80b9dde4924ce7119fb13d260edb

    • SHA512

      8bc262803139c0420b71ffea63e772124446349d913bb194646c22f0d4dca0cd04d3a3108032c2f31618f482e86fbfa0aa4de63d7c53fcd03dcc438763970808

    • SSDEEP

      3072:y9xdm7sMhs6Y28qryW6A4bdZc4nJcJW+XkmwVWf4rEVjSHwZROr4bpLkC:yIths6Y28ehy5nJcU6QrEVjWlr4a

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks