Extracted

• • Target

    c944b1c3a2ec3d3141c00e8b83c4a88b5c76057f1119b3de079056fd65d2d33f

  • Size

    260KB

  • MD5

    17e796c1d99911ce19512a8adb8ea55a

  • SHA1

    e4e6aa0076157643919abbf26d9a444fd170d2e9

  • SHA256

    c944b1c3a2ec3d3141c00e8b83c4a88b5c76057f1119b3de079056fd65d2d33f

  • SHA512

    24c4e6e1303a817842d3a6019183d252abf24877aab184459782f7c1eac608feadf04f537164fec59e6ac30598759ccfb7fb7d85240fd5b527a15b8152951342

  • SSDEEP

    3072:xXO0xmVPc4N9LLXf3D7n5ksUGMAHXijUgzYcYhvT+iyQuvM/h3R:VNmVPhN9LjDfUK3j/W8

  Score

  10^/10

  tofseediscoveryevasionexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Suspicious use of SetThreadContext

  behavioral1behavioral2