Extracted

• • Target

    file

  • Size

    285KB

  • MD5

    a21e695f7a2af53e5208781c8a75da08

  • SHA1

    ad5000552a0b6dd28c8909287477ea9834b5ef48

  • SHA256

    f61b790784033096fb5f18ac2c17fa89b99a8ecebdd0e30148fe10133d42e8c0

  • SHA512

    875e52bd6bf5d15472adbf9a9a97f73c2af33e4629c54a43e3de4da41cad638ae27c55275725d3fc9400d690c3f4060161e52c928cdcc0b52be7838d8b952f59

  • SSDEEP

    6144:i2W+rLe/H5vsW/n/8d2f3f0nxcVoR9tw:i23y/Z0u/pf3Axc+hw

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2