Extracted

• • Target

    38972935c945a1678727dec76e0f3a9d7914647f30f84d01683f6d3a22c2b43f_JC.exe

  • Size

    206KB

  • MD5

    991269e0fee66cecedbefc1c229c5476

  • SHA1

    9d4d824280faed254c0c0c497c918a21336ff69e

  • SHA256

    38972935c945a1678727dec76e0f3a9d7914647f30f84d01683f6d3a22c2b43f

  • SHA512

    13a8bb82fb4cae4f2ac8687d7b3ac171c0e7203e590a5d6db4c882d79cf12b7b5ba3af1eec1bf27e2ad19b64ede293840041f0d95d807b46e4c36bb9844bd07c

  • SSDEEP

    3072:zG2kPKjL6KNCjZNzDpjAQSOLvEpNSL7EeAHxefDPRvTqkz5WMYTgK:JkSjLVNCj/zD9AEwz20efjBGMYTd

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2