Extracted

• • Target

    file.exe

  • Size

    224KB

  • MD5

    c6e98154d70ff945b57a34672b079f8b

  • SHA1

    974ff92bf1b05ded542f78d1cacbe393e45d14ca

  • SHA256

    effe259551ba3d74c30cf199724bde0dfe868f151888a1db4186f09a87f03430

  • SHA512

    eaff51193819c0c1b8d8fd704c555698ba3c732c950d2c5fbb5b18fac891ce0261586ca196de1544f1431e32e43633d84d9c8ac7c4efb18639b064f71132280c

  • SSDEEP

    3072:uXpHrHDK4ViDgeUcS9F6Yl2DcCqWl6t/CM4Q77JubohP8S5lOMIqTyh:2hDDDiN7Sz6YEDzq+j677GohP8+IqT

  Score

  10^/10

  tofseexmrigevasionminerpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • XMRig Miner payload

    miner

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2