Extracted

• • Target

    2025-03-30_555cbc7420e3d52a2f8f86f5aae2431a_amadey_karagany_rhadamanthys_smoke-loader

  • Size

    14.7MB

  • MD5

    555cbc7420e3d52a2f8f86f5aae2431a

  • SHA1

    17abf9482c047c46d9ec76fa9cc2b9c72cbff05b

  • SHA256

    6d016e7348c581442179a4c1e2461d69bdfffefa72b8a0bc60e181090713d214

  • SHA512

    7e12b55e739f297960c0015f0305fc2393f273dc638f9c7f46145e9c17066163c29a1102f9d0dfa45421cb1cc81ec3fe45f2abdc32a693ffa2fee0e519007f54

  • SSDEEP

    3072:mdh4rj43qHj/zjgRYR6lVatBLufQxMmYq7sxkgaBChJ:w4rj46/zjgRI2atBLTMYQigaq

  Score

  10^/10

  tofseedefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee

  • Tofsee family

    tofsee

  • Windows security bypass

    defense_evasiontrojan

  • Creates new service(s)

    persistenceexecution

  • Modifies Windows Firewall

    defense_evasion

  • Sets service image path in registry

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2