Extracted

• • Target

    b3219a26698ad2826dcb475dd47efc5e018191c1abec6e10b6469c7a04749de4_NeikiAnalytics.exe

  • Size

    10.0MB

  • MD5

    ef7867eb7e9b5be895b1978d2c388fa0

  • SHA1

    665f43533d1fb49da13d7919e34aa5f60987f638

  • SHA256

    b3219a26698ad2826dcb475dd47efc5e018191c1abec6e10b6469c7a04749de4

  • SHA512

    a5525d28ef1a99d4ca798f132b120850e7a9293e11df84fcc814ae4413edfcf70631aac556df57927ee82ee24f99da3a7f77a06cc516835d20a7231f2d5b6203

  • SSDEEP

    196608:oaBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBX:9BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

  Score

  10^/10

  tofseeevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2