Extracted

• • Target

    file.exe

  • Size

    328KB

  • MD5

    4cdaa2afa42747ef38a6b647ab9eb05e

  • SHA1

    232022c56f435336d8d71460d72de1d58f190039

  • SHA256

    c99cbf6d177405e5aedb7e6bb29f5558b21678dcb8d092bf8bc57479de81ff7a

  • SHA512

    d28387bdf95eb49590c2781293c0ab370716c87b2f3a0d0177cf6579ffecbfc9150ed2c4ada1a4c5624b0b97b5ad506e9893818f7167727f4847065bd8fd3499

  • SSDEEP

    6144:D8vFYjOoUAsp3LC3O8Lg06p7dBA0X+icTJY:DKwC55kO8E04OicT

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2