Extracted

• • Target

    file

  • Size

    238KB

  • MD5

    51ffe610f2d2622d296524c8fb85f879

  • SHA1

    72e064dc54e07262f34c2c80ca4f0855d893817a

  • SHA256

    df050e76b4d3cfb9a43d67ef1359ac8f98697ad987dbf3602f35e62a77144cfe

  • SHA512

    4f0215560d1c37fc5c54921099ea18e41cdf73d3dbc98927f424a13c2905d02a6f060581a9e0589210456077e5a23ed4fd6fd1854d2cfa5f70325885f0f744a3

  • SSDEEP

    3072:8vWq9BylhWz4dSXiei87VmTOakmo0SykjTlpP0fsfCGZ5Ffy6Jp4bo6:8uZCzySXZbMsmo0GDPKsfCD6Jp4

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2