General

  • Target

    7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.zip

  • Size

    164KB

  • Sample

    231119-zyhc8scd5z

  • MD5

    e1f9aba3c21d8bcc79c3164472ed568e

  • SHA1

    8c5140c793e49049ea191b9f54768f21d59749ee

  • SHA256

    9874bc8b6b78691cd954785c407ca386d5d9cf0b5acb5fb0d903637889734e24

  • SHA512

    08ed564dd857aed550bc52b8f0fa1ba26503b6ad792254e29a095424c3cb38fc5ef7727663a386b0035368d0167e1b73cedeec4c36d5b7e03604b99ebde9fec8

  • SSDEEP

    3072:Stum6BSGBeab2SX3lxCm0v4/fGBVph/4RBiJxXJzq2AeBuseTs5jBRkRTSd:SABLjQJvqGhh/txXJGVTMjwSd

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee.exe

    • Size

      254KB

    • MD5

      02ac11d7691ed7141949fc5c03d5aae8

    • SHA1

      b122e23b4dfb29d4efedbbe7a72c75d696f8a7ac

    • SHA256

      7a4cfb277cc054d761bde28a0f92caa9f142ad61959923a023a0d8248ad1c4ee

    • SHA512

      c437f0cec3cbe5a62a650cafd0814016864c083a2df5a65000d0411b8249daec0744b7c948039a97848135a263ba183a9cb00876fbc3d22ee1e8322dfda0e55e

    • SSDEEP

      3072:M9xGAh803FPqB1HzqotaoQpxVKPk4hjw6EX7eUkpvTRSdnbr4rO/p/4CY/:w/8iYlAxVKMuELrdnbr4yG

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks