Extracted

• • Target

    d572033c59d050ae0a7b6cafa3728a7675721bff18f4087fee4e8d8692c0a974

  • Size

    10.9MB

  • MD5

    00648d8195f97b68fb658c75f256f2b4

  • SHA1

    e45eb357905049dbfe81ad64a87fe4158392aeab

  • SHA256

    d572033c59d050ae0a7b6cafa3728a7675721bff18f4087fee4e8d8692c0a974

  • SHA512

    d70b12a153aa790925c134c638a522190930fc701d6cd45aff119a292d4657c4084fcafb424093d248421e26f2dd728526759e7f93a49147fdec937f7c86923d

  • SSDEEP

    196608:ITTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTX:

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2