General

  • Target

    f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.zip

  • Size

    158KB

  • Sample

    231119-z4dbgabf63

  • MD5

    5a6fd66af9d163e2d1094ae89c21c946

  • SHA1

    893e6c8e78714db01c5a740329beb22345cec389

  • SHA256

    becf293dd7aa8baad8a9d96312225fd25f597318f259056bf7ba45f46dc3a560

  • SHA512

    9b68d666df7e711564e653a9c07fb3a38caf3288c16112bbf3829f6b2a748f801ffbeb993f3c1d07d870ad0370450fb00e1406c591831c71c64ade6835face2b

  • SSDEEP

    3072:s6NqstztwLxyDLo8opFKAEq5zqdkAzJaXwNAUIYBXTSjUWNK1ai:x0LxyYzpF7jzqdkAbhIYBXOrU

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1.exe

    • Size

      265KB

    • MD5

      695c14c51ae9ff59157cf69f97b2d1cc

    • SHA1

      4688eea11efa5c61c7704b5ca80196eb9099e867

    • SHA256

      f2b4ea5a8678e6b4ff70b238e34a208f4287f113ba6a65c12592a01cf9cf17c1

    • SHA512

      e43e45420544f2fd736f2427443941f1da5b8d4a74d4c9d2e0a95c8306b2f10e12beaa6b0c2ec2715ecbd66b41431f404c942c32720a8b3ee2afa640657d4688

    • SSDEEP

      3072:d6LaowspCAE+mYgDxv5l7Iek5Ym7IQoiteVFWbVD22WsgAsR6c7ovb3TQh9:SaWCAF5Cf7Iem57InitGMxycQMrT

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks