Extracted

• • Target

    281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913

  • Size

    13.1MB

  • MD5

    873c0a981c80da05593897c6aec0e842

  • SHA1

    3fb083e944c36cc3a938e64d9c10ace3065d444a

  • SHA256

    281caa07aa1da7dbfecf48057da8f8d81fa98661de792de568d5d26765d57913

  • SHA512

    27c119c25dbe7cca2da3043eff931bfc0d9ad5b34cd7489000181cf3d8aa6814b83ef1185f6e7f692e9e87cca17d9b5c5d89ab0402e9264840fa80f5da21800d

  • SSDEEP

    393216:tkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk7:tkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk7

  Score

  10^/10

  tofseeevasionpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2