Extracted

• • Target

    2025-02-12_d42fc258c075d0a348732e1c5add285a_mafia

  • Size

    12.4MB

  • MD5

    d42fc258c075d0a348732e1c5add285a

  • SHA1

    d5fff320f7fcb7709ced5ef7d075f32d18a6a474

  • SHA256

    344d1f58e5c289a4a9fb84e1a55a938ef1647c1f88a03c59540d503f931a29ff

  • SHA512

    1d90d99a4b1a5ef5957a45bde72c6b811fdd578459d028cdc6ee875989472d90c1e4682f76aa062a6b9c99319314078c26edd86e5eebb74c5b515feba8d21c82

  • SSDEEP

    24576:ipomTTN9tttttttttttttttttttttttttttttttttttttttttttttttttttttttP:Goo9

  Score

  10^/10

  tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojanadwarestealer

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    defense_evasiontrojan

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Creates new service(s)

    persistenceexecution

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    defense_evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2