Extracted

• • Target

    file.exe

  • Size

    228KB

  • MD5

    e73f955a0070c77ba26a4691c40b1dc0

  • SHA1

    fb0eb89ece11cb6ff4199632af7ee9fd301f0179

  • SHA256

    24a1155958c5f919c19d5f21073b3029fb12d7fd3efa79cade7b857bf4a23bc5

  • SHA512

    8759aeb29d613a533b1dbb89cc3b0067d8c5f64725930ea8912dba4fc5eb526d2a9305451ce4aa9a6dc34d6a16bce088c26ea0e94b9a2d2b95ed3346771f9fc5

  • SSDEEP

    3072:ns+QELbm7m5k7Ox/mp9GDIErDO+FLW4P84nNj1/uapj1cNQK1+eJV5u43:NVLbmzSOpwrrDO+BW85Nx/u41eRu4

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2