Extracted

• • Target

    13b61045b92866c3ab14e075ea80fa6c4e63ef3e22eb582bf542cbfb2ae6f610.exe

  • Size

    351KB

  • MD5

    4a18a94055dba3c5ad2fa1a10582eec3

  • SHA1

    fc0c32941f69383c2ab6ae53af514331fe68af84

  • SHA256

    13b61045b92866c3ab14e075ea80fa6c4e63ef3e22eb582bf542cbfb2ae6f610

  • SHA512

    5bf4346b3fce12a314f6327f840d88e2ea1d7f00c5fecb7f2b14d2eb69a447008bccc52508728791a7a8eaecccfa0b99fe51c032875e18adc64a212434e5fbf4

  • SSDEEP

    6144:aVvvhSKsCU9XmGm0kn0MM7FOmSafuzq+7XUBybbCt:aVvkKsFMGm0k0MM7lSqutDUub

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2