Extracted

• • Target

    c5a29b2ac13e9b724ead74514c65eb64.exe

  • Size

    287KB

  • MD5

    c5a29b2ac13e9b724ead74514c65eb64

  • SHA1

    e6d5d64bd2e48758a14944b1e8eb5bff037fb719

  • SHA256

    f36163041b9be37f71e3196b12bc3e372bd05a10f189ce4348acce5a72cbeb6f

  • SHA512

    75e4d3f3003004e6b8c13ed76fd3268a75dc7562180ee9f4d521a0b4c6767308ff0d7bd9b01bd8932546b67b58da9e3273f1ad3115372e8e681492c1b1f137e1

  • SSDEEP

    3072:NHDgofgIyBl/1WHjg89OAYBuTlKKKzGRwuE12ZAOziEStT+lZE/wzFdQvHpIH/a9:FhI5dWDJ9OA5sGRwuE1Czi1t+ZzFm2

  Score

  10^/10

  tofseeevasionpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2