Extracted

• • Target

    5cd15870f14f42e24bb1d80f918cbd36d656eecb2467ac83a0a5989672d2e6cb

  • Size

    10.0MB

  • MD5

    5293de8cdb49157e590e9df71efcc336

  • SHA1

    37b0c4f5fcc70fa5d3642a59261238d5ac343547

  • SHA256

    5cd15870f14f42e24bb1d80f918cbd36d656eecb2467ac83a0a5989672d2e6cb

  • SHA512

    138eff6b2ecb4ab8181013ebf4078998edee61a4b509f7798dcb04b05cd080ac92dbe78482653b94235fc0383c978e1fc80fc8022bb65cc8c51552666bc842de

  • SSDEEP

    24576:HcHuqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqy:H

  Score

  10^/10

  tofseeevasionexecutionpersistencetrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2