Extracted

• • Target

    0c562a5c681740b9496f31015d6ec74b9daf4ca21ce5dbde6788c866fb0d6aea.exe

  • Size

    13.0MB

  • MD5

    d4fbad00810efbb5dbd8a2452fe04ec3

  • SHA1

    65884289994c879fdf192a5e6662a04d1a2f649e

  • SHA256

    0c562a5c681740b9496f31015d6ec74b9daf4ca21ce5dbde6788c866fb0d6aea

  • SHA512

    b38b6d38106d8cb16dc5967ddd3be58bb5a4475867f1271896f1dbfc516d68b3f5de992a47ef31149ef264d889a1be8990ae26619ec6cc6c2b3a550bf69e7dd8

  • SSDEEP

    24576:cqkEnA6V///////////////////////////////////////////////////////3:cqC

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2