Extracted

• • Target

    6H1CivMs9t.exe

  • Size

    236KB

  • MD5

    01d1940134ae9d585ee7faf141bba0cc

  • SHA1

    2c90ab735cf10e553347d28c1e292aed821ae3d3

  • SHA256

    a92d606e564f9e5f25a79c2d0745ff02ba1f65f062c025fc990da89c46e78038

  • SHA512

    7abe0dcb2c8850e7f598c712da1d9280e7723fb45fad58cbf5308e9d6e07701e6a88016f2cdb93d047ffe4b4453daf5ff0815b861d4473d65c8cd754ca27778e

  • SSDEEP

    3072:zFS8of+VlxyR25+BQocwlzrhMsbXvkP7xqZw0A5TuQTdzZ/pjDXYattjT4f:Sf+VlxyR25Noluq88wFuQTdJJXLm

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2