Extracted

• • Target

    file

  • Size

    352KB

  • MD5

    4d768bf2303a1391c5eb0891c9662770

  • SHA1

    08e5911e2c335640e7b7cbb93f9662378e4e785d

  • SHA256

    c39f1d7d7f1d4e6a21f46482e597b50b2059e762e57959763b453faf5b3d61af

  • SHA512

    c4ec611914a46633c4126f05e0332261298215ff5849378beb24780462c589890b8b888ed0e620d58561158e1020b98eb7463bc7cebf801ee653b553945c78e0

  • SSDEEP

    3072:saDCA3TPzmxHwT4ABKsFg6sXtecSNP5wTFfRhDbuXK3cuiM5vTHV9w385dEimL/G:HDxmVQ4s7lsXjRa63nHV3wQdEL/9Ti

  Score

  10^/10

  tofseeevasionpersistencetrojanxmrigminer

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2