Extracted

• • Target

    AvDJi40xp_9fyz7RPmKdbxb4.exe

  • Size

    229KB

  • MD5

    b40b6b9bd2f7d17a65c72469ee2e2cfa

  • SHA1

    859ffdfda568b34e1c3ded9f846dea6e8774f5b5

  • SHA256

    f37f32eb1c859541773f55297fb1e05bbfc2874851fc7bbd4e185d3a6a1b6583

  • SHA512

    7a4b7171000f8dad0eed766e212ee6c9ebf6431175291442524383232f5455f6bc3e8b224c31dc8bf48ad0cba4ef7637edd4dcc8f32e48f93fb9ea7036adeae1

  • SSDEEP

    3072:DI/quXXuYu/IdYKV97eRuWYxYBouZdSzBS7sy4iIb:DYqKXzEIzSbYxYTAS7W

  Score

  10^/10

  tofseeevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2