Extracted

• • Target

    de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b.exe

  • Size

    302KB

  • MD5

    c47f32f68a1ca3309768b48ec98cd752

  • SHA1

    ab24f2d6a2cacd0b807b2a174e4c43e8d629b32e

  • SHA256

    de3f27526eca92d8bab305d2942fbaf89d96b5fda6467dbf931b373868215b0b

  • SHA512

    747db0d277eac21cdb2f51862fe861e27b444bdae4ed08bcc92a92d27c75c6ee602723fa102a3501f980bea18bd2c9a500113c6e9cf42d752240e145b1bd610d

  • SSDEEP

    3072:Muy7xHO5Ur+3sfGjmvp8hPdJidlfZl8ebAGMR5zODTKchd+OH:xy7xHvrmsejm6d2NZlDAGMHOKcv+y

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2