Extracted

• • Target

    181e6f88cf32348d8247bb3c4deb07bf44b677656b43b37a30dfad4a3b3e2935

  • Size

    12.1MB

  • MD5

    0906ff34f48334d4563ca2df39b3cef7

  • SHA1

    289a0a4287b6e42e680a9b7efa0585fd97708f2e

  • SHA256

    181e6f88cf32348d8247bb3c4deb07bf44b677656b43b37a30dfad4a3b3e2935

  • SHA512

    41545edf3fc63015f8bf2d094de7c17688889fbf4956fadd0b2447da2a870967606ad06971b3db4f28de7e8c777a1dcfec67bb8a99454d1598f1a42bb20580f6

  • SSDEEP

    196608:gXPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP/:g

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2