Backdoor.Win32.Tofsee.doxd removal instruction

The Backdoor.Win32.Tofsee.doxd is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Backdoor.Win32.Tofsee.doxd virus can do?

Executable code extraction
Injection (inter-process)
Injection (Process Hollowing)
Creates RWX memory
A process attempted to delay the analysis task.
Attempts to connect to a dead IP:Port (15 unique times)
Starts servers listening on 0.0.0.0:2062
Reads data out of its own binary image
A process created a hidden window
Drops a binary and executes it
Performs some HTTP requests
Unconventionial language used in binary resources: Ukrainian
The binary likely contains encrypted or compressed data.
The executable is compressed using UPX
Uses Windows utilities for basic functionality
Enumerates services, possibly for anti-virtualization
Executed a process and injected code into it, probably while unpacking
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
Installs itself for autorun at Windows startup
A possible cryptomining command was executed
Makes SMTP requests, possibly sending spam or exfiltrating data.
Attempts to interact with an Alternate Data Stream (ADS)
Anomalous binary characteristics

Related domains:

microsoft-com.mail.protection.outlook.com

0.0.0.0.dnsbl.sorbs.net

0.0.0.0.bl.spamcop.net

0.0.0.0.zen.spamhaus.org

0.0.0.0.sbl-xbl.spamhaus.org

0.0.0.0.cbl.abuseat.org

msr.pool-pay.com

ip.pr-cy.hacklix.com

iv0001-npxs01001-00.auth.np.ac.playstation.net

How to determine Backdoor.Win32.Tofsee.doxd?


File Info:
crc32: 6E00D3F9
md5: 6f27ef031ad3f967fe14a58dd91fcbeb
name: 6F27EF031AD3F967FE14A58DD91FCBEB.mlw
sha1: 3e085c27ec0f0e8357022c38458bd442b34645ac
sha256: a2401f235e4f85a314ba5fdeae657833d6438ee4b0fe3d69c8f6a70c7fd78672
sha512: 513b40e1ed0e8b31626861bad2b94ea6f9167d966fed6d72e218b8b90d3be3a492744d58b9f8873040e1e21c78073581de8bafeca983436ec99c3107d4b79911
ssdeep: 3072:oFSDlKvs8bNsspvUe7HHo5h3ZXDaEAmxztS1AXhl:ZwhsA7oP3JcmBtS1AXhl
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

Version Info:
InternalSurname: debaukd.ekze
Prod: 1.2.7
FileVersions: 1.0.5.6
LegalCo: Copyri (C) 2019, permudationzi

Backdoor.Win32.Tofsee.doxd also known as:

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.45227570
FireEye	Generic.mg.6f27ef031ad3f967
Cylance	Unsafe
Sangfor	Malware
BitDefender	Trojan.GenericKD.45227570
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Kaspersky	Backdoor.Win32.Tofsee.doxd
Ad-Aware	Trojan.GenericKD.45227570
Emsisoft	Trojan.GenericKD.45227570 (B)
DrWeb	Trojan.Siggen11.56849
McAfee-GW-Edition	BehavesLike.Win32.Trojan.cc
Sophos	ML/PE-A
eGambit	Unsafe.AI_Score_91%
Microsoft	Trojan:Win32/Glupteba!ml
ZoneAlarm	Backdoor.Win32.Tofsee.doxd
GData	Win32.Backdoor.Tofsee.14714B
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Glupteba.R361154
Acronis	suspicious
McAfee	RDN/Tofsee
MAX	malware (ai score=81)
Malwarebytes	Trojan.MalPack.GS
ESET-NOD32	a variant of Win32/GenKryptik.EZFQ
Rising	Backdoor.Agent!8.C5D (TFE:5:IhzqwXEXQUL)
SentinelOne	Static AI – Malicious PE
Fortinet	W32/Kryptik.HGHW!tr
BitDefenderTheta	Gen:NN.ZexaF.34700.jmGfam9FGccc
CrowdStrike	win/malicious_confidence_100% (D)

How to remove Backdoor.Win32.Tofsee.doxd?

Download and install GridinSoft Anti-Malware.
Open GridinSoft Anti-Malware and perform a “Standard scan“.
“Move to quarantine” all items.
Open “Tools” tab – Press “Reset Browser Settings“.
Select proper browser and options – Click “Reset”.
Restart your computer.

Backdoor.Win32.Tofsee.doxd removal instruction