Extracted

• • Target

    e75735f7291fe1d0d38a5f7f8f25eeebcb347619dd1df065ea2ea7cb077e35e8.exe

  • Size

    213KB

  • MD5

    e468614fc58a4100991210b073621dd3

  • SHA1

    c75a31fb2d660bda920034a6c6caecdf1d1f690d

  • SHA256

    e75735f7291fe1d0d38a5f7f8f25eeebcb347619dd1df065ea2ea7cb077e35e8

  • SHA512

    e513e3da86bb5defd047026f1aa6d21c7676a2939eefbd1e3ea1c67cecc0ca486f3f47c67ce5768da33d0b480eec4f4b98b99c60b39213b3988efbdbb9fbe358

  • SSDEEP

    3072:2g8L7IZulOSCTwH+3AufD3wmLK2z4sOYwkYrW5B51zI7iMWkv:A0ulO6ArfLKwdZ07iMFv

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2