Extracted

• • Target

    file.exe

  • Size

    265KB

  • MD5

    7364153ac768f974a449e9279673856f

  • SHA1

    6b8b4e81cf26e4956e9249a3fd6d706c6d5915c2

  • SHA256

    efd2425ed515feb6c6010e9f7710c48bfff3e2dba0838284d591a2f1947089b7

  • SHA512

    95feb050666656d336cd7e098612da0e0b577ccd938c4a8b963ef65afc0111e3b8cecf48d7d09cfea0929efcfed9c2c43ee854e96931959c20c74b5707e12614

  • SSDEEP

    3072:6Xh2BaHgLX1N1Db4H85RDm0jIwvsTF0ZaU/ofnMJjozpxO5lUZNTKXWPr0sdF:asLXBb4H90Q0Za2JjozgaOuN

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2