General

  • Target

    8236b680d9c9e22e2888f06630f1605f.bin

  • Size

    156KB

  • Sample

    231121-cqg16sbe93

  • MD5

    ac9ca872a9a6819436c7f458c6e91448

  • SHA1

    ca00bcb4a2fdc6ba589da49c2c30654cf2902684

  • SHA256

    3356c4c1001f11de862cefcabb29c1309e3a5d264907dc30e035b87da6de80db

  • SHA512

    8e875622ad43f9d8d766a7812ae28abf39f35e193c14139979ea27b29b9454b1e651ce17529db6441464f914302e58a64c42b911b82299734d049c183cb23bfe

  • SSDEEP

    3072:XAp6TMQ+3JEm+FlTnDuGRrgAWUTD1Dbdh+AdH+RwIuUCXM2+1SgtamwUlxJRCFae:XAVp3qm0UAWUTD5bd0AdH+RMUp2+083Y

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      5edd21bf37afaa60ad092deb91977372ad05a64e9f3de9857641696c2e97cac0.exe

    • Size

      257KB

    • MD5

      8236b680d9c9e22e2888f06630f1605f

    • SHA1

      16d395b61b578c49bbc94daa6e57e78394af20ea

    • SHA256

      5edd21bf37afaa60ad092deb91977372ad05a64e9f3de9857641696c2e97cac0

    • SHA512

      c97835b3f118c78b23917affc922b3e8c725e62fadefc848dae228d13cb46b09d2e6c03945369bf44852ddd210fa7cd769918bf15b0256a447c31dbb1419208a

    • SSDEEP

      3072:uP0wZ4/vqpVJ+XYYnyeA6wvQMWcGLG4SEVjXRBX7ovb1Yj:EoGYXYYnyeA7IMWcGLFV7LM

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks