Extracted

• • Target

    668a73171bcfb225ce6748ef6108fa8bf9b02befb5ba5f392cdcff67926d78a2.exe

  • Size

    234KB

  • MD5

    f8df432779abcda0e118d44dc6dde5c7

  • SHA1

    2574314f96737d4a909246b06f6d0904b1b0e6f6

  • SHA256

    668a73171bcfb225ce6748ef6108fa8bf9b02befb5ba5f392cdcff67926d78a2

  • SHA512

    43974649ae90e164b8a17288c8c8b249dcdbac0a0c4fc9cdac70edbea455f880be7642e03c33e882e3a0bfaeccca46636398a604867451be52e059fc5fb1e75f

  • SSDEEP

    3072:5fPQrqA+LychM1+ziXtcsM/RHbyp+EpsVNg0cqF2Oq5pqIyYnAZ81MZ:mE1MOYcb/jxBUOqptZnAa1MZ

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2