Extracted

• • Target

    93de16bcf457b70d7560f20677998262f9290568825304a825dd58d256ca87e1

  • Size

    310KB

  • MD5

    6088b3e371bdb0a61e8a706f63fe152e

  • SHA1

    af8b7d9745e6699fce58d5ce44b9e927e9509813

  • SHA256

    93de16bcf457b70d7560f20677998262f9290568825304a825dd58d256ca87e1

  • SHA512

    a4415e1d71e302782a705bd1fd28b6d4045db0465422c67f9204ef0f4f0821ff4fe95a1de3089a35b0093821e0df88642fca061639228472449114b35ea00639

  • SSDEEP

    6144:aTL/wh68dbzVB2AuMMz/zET38j45eB8i6Wb93Y:aTbwhdd/P5rMz/O3/MKiH3Y

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1