Extracted

• • Target

    21a5e8cf356706a639eee50ea97cecef91685eb906921245c314ac50950b9825.exe

  • Size

    10.5MB

  • MD5

    274d0ab4368246be7f22990d9d5cb4cf

  • SHA1

    d34547e852863893aef034effc726bf2ee227d02

  • SHA256

    21a5e8cf356706a639eee50ea97cecef91685eb906921245c314ac50950b9825

  • SHA512

    dab676f30f08c6719e26cc376c89803a14d89adf50c6ee31d941f724b3dae03ca1cce950a3dd7651e3ed5f40323b021c875cdd1dfbbba9952cd417d7a3f90e81

  • SSDEEP

    6144:Sc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:S1OZDisvwdaxO0PuG1R4CWs

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2