Extracted

• • Target

    9b90e99043652fd044759bd26e1a6ef0N

  • Size

    71KB

  • MD5

    9b90e99043652fd044759bd26e1a6ef0

  • SHA1

    0b2b1752d9b3efb0778cb5f432b8df0f2d24fec9

  • SHA256

    9771659122d068ceb3bcb1965b659b1d16c9f3afd290e058d5feddb667a475ae

  • SHA512

    d2f7ecc6ebf815ec92a7541d615c51f8127ee62671065e27ac62dd96859ce8e08ebd9f397eb993e3565623253b9e16f09e47be6c07a9b02b40f8594cee554e44

  • SSDEEP

    1536:6kss21VCb7jTxSYgOuzTjFWL9bSpIrUc:61VCbrxSYFuzFFpIo

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2