Managed XDR

raid-kostada2-outputs_...2917fbc08c825db87b429f — malware analysis report

File info

Filename: raid-kostada2-outputs_reduced_dataset-pesidious_1772633321-mutated_bazaar.2023.01__heur-backdoor.win32.tofsee_tofsee.gen-0f9632841590f4091ca2b700274a290b0274bca3112917fbc08c825db87b429f
File type: MS-DOS executable, MZ for MS-DOS
File size: 812.1 KB
First seen: 2026-03-05 17:01
Last seen: 2026-03-05 17:01

Environment

w10/x64 en

Hashes

SHA1: 9e2bbd37f4db1fc88f2eb9658dcff2d4e652366b
SHA256: 5581c733bb243a1293b1828fd5ebafd7b07a8685a6ce2533c8b9503f18b7924c
MD5: 450c39ee62a6aacb86f291058f2994f5

Signatures

Execution

T1569.002 persistence_service: Starts newly created service

Persistence

T1543.003 creates_service: Creates a service, that will start automatically

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1562 dep_disable: Disables DEP

T1562.004 firewall_add_rule: Modifies Firewall rules

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1027.002 pe_features: Executable file has PE anomalies (may be false positive)

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1070 stealth_window: A process created a hidden window

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality

T1497.001 antivm_disk_size: Checks the amount of free disk space

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Other

yara_rules: Static rules

creates_in_windows: Creates files in the Windows directory

creates_exe: Creates executable files in the file system

static_pe_duplicate_sections: The PE file structure contains anomalies: duplicate section names

creates_suspended_process: Creates suspended process

origin_langid: Unconventional language of the executable file

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

checktokenmembership: Checks user token with CheckTokenMembership call

writes_data: Writes big amount of data to disk

Managed XDR