General

  • Target

    file.exe

  • Size

    207KB

  • Sample

    231120-vrzaysab7s

  • MD5

    e87285cfb0ee9f7291264ff4f12fc777

  • SHA1

    32578aaed30806b40f2dd4f49b4d31d11647e41c

  • SHA256

    ad56f4e1da4441bb9630f80211f53f38d863abf7d7b29eb8f10c4f999753869a

  • SHA512

    614bbd43f369cec8d0c4c6d3e249ea538c4d9b213cf53cb2d6c48a7f483eb356f2724aa6e45ce4c32911cff1333c067be3552bd0100ab5150263f1dfe66cc949

  • SSDEEP

    3072:anmUbRBIs7CwOid/I0c0tDM12vpBLLDE7Z4iNFSbvLdj:0HISC/i5/tnXLvEKW8L

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      file.exe

    • Size

      207KB

    • MD5

      e87285cfb0ee9f7291264ff4f12fc777

    • SHA1

      32578aaed30806b40f2dd4f49b4d31d11647e41c

    • SHA256

      ad56f4e1da4441bb9630f80211f53f38d863abf7d7b29eb8f10c4f999753869a

    • SHA512

      614bbd43f369cec8d0c4c6d3e249ea538c4d9b213cf53cb2d6c48a7f483eb356f2724aa6e45ce4c32911cff1333c067be3552bd0100ab5150263f1dfe66cc949

    • SSDEEP

      3072:anmUbRBIs7CwOid/I0c0tDM12vpBLLDE7Z4iNFSbvLdj:0HISC/i5/tnXLvEKW8L

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks