Extracted

• • Target

    a0330635ce7a544213e96160b46657fbc7c774c29e7224d9d9d7363253fd53f4

  • Size

    13.9MB

  • MD5

    2b34fa5102a1706dae4a66b48d08dd4e

  • SHA1

    28c2e4119f1ad75f64ca6c63edcf7709fbc65f32

  • SHA256

    a0330635ce7a544213e96160b46657fbc7c774c29e7224d9d9d7363253fd53f4

  • SHA512

    ad94a47157e1457699e9b6334c461b0c4d223958c72e133f68859e0a0c0f3886da8edb629a1a7e5fd594a8c0944b3e43c7e916f4059785cfd8b05c3cacd93223

  • SSDEEP

    3072:I1MBkxvfGaF/FzWb9VT5aLj/JSC5kJwSFjhvoGECaNwxAk8Je8Je8Je8Je8Je8JR:Pk5FOkjRSC6SS+N+

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2