toxiceye | fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94

General

Target

fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe
Size

105KB
MD5

da9cc4e4135e5ab525f11c3b3f664096
SHA1

4afbc8b795da9f9b067c7df51200c360853aac47
SHA256

fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94
SHA512

cf6f782ebded8ae27119b606c3edc972f063c49e444cfab4d78ed356bc2f5089abecc93cc0d0d3d3356f01237857b7bf21d262fc5899867e69bca193d8894676
SSDEEP

3072:leIL1GcZLw7PUq7QLjPscKO7b1UQWPUCrYZod5:rFw7PUq7Q8C7bf

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot1540181760:AAEnIs2M31DEIo0eweKbO3grGRLd0kFkByk/sendMessage?chat_id=1314803697

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rat.exefba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

4776 rat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1460 schtasks.exe
3568 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3468 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

732 tasklist.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid process

4776 rat.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rat.exe

pid process

4776 rat.exe
4776 rat.exe
4776 rat.exe

pid	process
4776	rat.exe

pid	process
1460	schtasks.exe
3568	schtasks.exe

pid	process
3468	timeout.exe

pid	process
732	tasklist.exe

pid	process
4776	rat.exe

pid	process
4776	rat.exe
4776	rat.exe
4776	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	636	fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe
Token: SeDebugPrivilege	732	tasklist.exe
Token: SeDebugPrivilege	4776	rat.exe
Token: SeDebugPrivilege	4776	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

4776 rat.exe

pid	process
4776	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.execmd.exerat.exe

description	pid	process	target process
PID 636 wrote to memory of 1460	636	fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe	schtasks.exe
PID 636 wrote to memory of 1460	636	fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe	schtasks.exe
PID 636 wrote to memory of 4216	636	fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe	cmd.exe
PID 636 wrote to memory of 4216	636	fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe	cmd.exe
PID 4216 wrote to memory of 732	4216	cmd.exe	tasklist.exe
PID 4216 wrote to memory of 732	4216	cmd.exe	tasklist.exe
PID 4216 wrote to memory of 3800	4216	cmd.exe	find.exe
PID 4216 wrote to memory of 3800	4216	cmd.exe	find.exe
PID 4216 wrote to memory of 3468	4216	cmd.exe	timeout.exe
PID 4216 wrote to memory of 3468	4216	cmd.exe	timeout.exe
PID 4216 wrote to memory of 4776	4216	cmd.exe	rat.exe
PID 4216 wrote to memory of 4776	4216	cmd.exe	rat.exe
PID 4776 wrote to memory of 3568	4776	rat.exe	schtasks.exe
PID 4776 wrote to memory of 3568	4776	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe
"C:\Users\Admin\AppData\Local\Temp\fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
2⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7E19.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7E19.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 636"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\system32\find.exe
find ":"
3⤵
PID:3800

C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
3⤵
- Delays execution with timeout.exe
PID:3468

C:\Users\ToxicEye\rat.exe
"rat.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
4⤵
- Creates scheduled task(s)
PID:3568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7E19.tmp.bat
Filesize
240B

MD5
a783cf7c9195d4d071897134a942dc1c

SHA1
699e4c79118a97140eaa13a16302916044f003a9

SHA256
2fda2f6f5c7df0d6b3ea014b9b49adaf206ee332c95fbd7df7f4be09c34e4a89

SHA512
8199daf11d1204c6a77b2249873a46bafd66d91d4153b24a8f1dab39be06b6fff3b1be316426a796f383ef324c2305cb0719fb24057c094478761e6e7796efe1

Download Submit
C:\Users\ToxicEye\rat.exe
Filesize
105KB

MD5
da9cc4e4135e5ab525f11c3b3f664096

SHA1
4afbc8b795da9f9b067c7df51200c360853aac47

SHA256
fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94

SHA512
cf6f782ebded8ae27119b606c3edc972f063c49e444cfab4d78ed356bc2f5089abecc93cc0d0d3d3356f01237857b7bf21d262fc5899867e69bca193d8894676

Download Submit
C:\Users\ToxicEye\rat.exe
Filesize
105KB

MD5
da9cc4e4135e5ab525f11c3b3f664096

SHA1
4afbc8b795da9f9b067c7df51200c360853aac47

SHA256
fba0c53c2c8474675d779172a6acb413f7a81ade4f983616e08b117a55555c94

SHA512
cf6f782ebded8ae27119b606c3edc972f063c49e444cfab4d78ed356bc2f5089abecc93cc0d0d3d3356f01237857b7bf21d262fc5899867e69bca193d8894676

Download Submit
memory/636-0-0x0000015D78270000-0x0000015D78290000-memory.dmp

Filesize
128KB

Download
memory/636-1-0x00007FF97C290000-0x00007FF97CD51000-memory.dmp

Filesize
10.8MB

Download
memory/636-2-0x0000015D7AAA0000-0x0000015D7AAB0000-memory.dmp

Filesize
64KB

Download
memory/636-6-0x00007FF97C290000-0x00007FF97CD51000-memory.dmp

Filesize
10.8MB

Download
memory/4776-11-0x00007FF97C610000-0x00007FF97D0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-12-0x00000229B7580000-0x00000229B7590000-memory.dmp

Filesize
64KB

Download
memory/4776-13-0x00000229B7580000-0x00000229B7590000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads