General

  • Target

    84e5c974047a59e9c250aa8e93a28b390267eea51a38a711bc28a229bf5eba96.zip

  • Size

    160KB

  • Sample

    231119-z4dbgace4s

  • MD5

    a939994c2c015c1394f62f6279dbef8c

  • SHA1

    c3ce705bd1e0e3dc4cf71075d14639521fc5caa3

  • SHA256

    f24ca0e6736c057f3dae22b47a8da5d46e9a8abc78918d76d892ce4106b38a2b

  • SHA512

    2437b785f0cc262f2f4a8e837be7d6d1d26914cfdc66d94c2c497196ba1744223cf2e9d88ee6b7e8767550c7eab28b5ebbc831448d6ac82ede4608304506cfb0

  • SSDEEP

    3072:1dXby5HfqLTAul4H26r2DWn7WkZyChhhkpgPXnYGAIFyDNHjXq9S:1Vy5C/l4W6J3yCDhUDGUb

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      84e5c974047a59e9c250aa8e93a28b390267eea51a38a711bc28a229bf5eba96.exe

    • Size

      247KB

    • MD5

      17f7e745dbc9477f5edbb4a02df91b06

    • SHA1

      896216645904844e1c012a4ce76234d0c6795f97

    • SHA256

      84e5c974047a59e9c250aa8e93a28b390267eea51a38a711bc28a229bf5eba96

    • SHA512

      b36ee1060d897d5b19e0e779ca48f9a7a336bcce2700c9c6c6eb549dfd9a49174262d39655079e0704a44749e280aefcb9813da4b7ce354b2105b74f374c2e9b

    • SSDEEP

      6144:h/1BvthPXgbdbpePeXYD4JFKtFF9duXI5:J1FLfOBsee44F9duXI

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks