Extracted

• • Target

    13b33a486005cadd434187ba6dfaabc4ffbfa296fa26eb7883db5ed646fdc985

  • Size

    11.6MB

  • MD5

    f537901667e970bb0f90a23d9f41ca47

  • SHA1

    c6ff27c4a677c05b8b499378f766fee2dfc00b0a

  • SHA256

    13b33a486005cadd434187ba6dfaabc4ffbfa296fa26eb7883db5ed646fdc985

  • SHA512

    c2008c469dca56c4f6a8129537a381d28aadf189238a78fea99117bb6bf10188a55f3de5c0614303d78227fe1b1af38f2ace7b630a5031935b99e7d11b45f1c3

  • SSDEEP

    1536:08TmBIho1tWbUTN108XOxeP8Vzim18+MHpShmKFWTWCg1IEOxBIhZZCt:76Oi0UpDexBNNcowKMTWB1InxOZZCt

  Score

  10^/10

  tofseeevasionpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistence

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2