General

  • Target

    35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.zip

  • Size

    158KB

  • Sample

    231119-z4c1psce31

  • MD5

    3954d90937944936b0a10d6e7566ec78

  • SHA1

    4a4d9635f44089f57251d50030963ac7635eee38

  • SHA256

    66782bd3ba0f90793030b8bab0108c6467758a807ac2b7fc55b4ae5e9152cadf

  • SHA512

    8f073a568f29ed1ee0b28d4ec21a1d4fe91a4a7d4b9a9ef3d87b6881ef486e4e2e0bbc58823873d1c064fd9116b8f7f98b9cf2fd5a27ffffc600bcb0a669d5b4

  • SSDEEP

    3072:fUuwoSlDLneZWBreU9Yz6DOSE1nQavPoiSOduOYlJz0y7almISu6:fUJoSn9eU9jE1nCiSJPB5T3

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652.exe

    • Size

      274KB

    • MD5

      59e1227450eb946f0eb83fad2f72b1f5

    • SHA1

      b78400bfe2fb0dbe892b1dff5220a7de2c43dfc6

    • SHA256

      35da7aab0d190d5aeb04eaaa179c1cbd2302004c7671d6c71bc078a3df97d652

    • SHA512

      19fd57f8a026cd2cc64f4d8ac99538b9d90f9a33a3d70c2061131ea5094a53fa0c4bf23a6adaf51d06bdd799236860311cb4f67e7503ac43259461aedfeda1c2

    • SSDEEP

      3072:QlnO9lcF4LS5ZUsBHS9R071uEcR647ovb3Trh6e:UnXKL+By9R0ooMMrT

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks