toxiceye | 55d2ee012d4bc880210a63b0b9e10a31b65d58d2d341a0585806965c8030b519

General

Target

TelegramRAT.exe
Size

111KB
MD5

122174c5133057a13e9d1aaaadf080d1
SHA1

c07281383bd7755df09c8de90b599938686efeb9
SHA256

55d2ee012d4bc880210a63b0b9e10a31b65d58d2d341a0585806965c8030b519
SHA512

d3899e4e2c369a36d7edfb7f165b441943cde89be6ff7645e83c8638c5d35f65b58b960414eb3ff35c4a119fbe6a37c12d2767db8a270c8b0a854d584f292b9b
SSDEEP

1536:D+bAQACiEXM91qQIwvL9xtCc0Di4OybhDqI64QW4zCrAZuoNoDX:abaCHXELrxp6bxqH4QW4zCrAZuoeX

Score

10^/10

toxiceye rat trojan

Malware Config

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

752 rat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4328 schtasks.exe
2952 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2924 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5060 tasklist.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid process

752 rat.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rat.exe

pid process

752 rat.exe
752 rat.exe
752 rat.exe
752 rat.exe

pid	process
752	rat.exe

pid	process
4328	schtasks.exe
2952	schtasks.exe

pid	process
2924	timeout.exe

pid	process
5060	tasklist.exe

pid	process
752	rat.exe

pid	process
752	rat.exe
752	rat.exe
752	rat.exe
752	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	1500	TelegramRAT.exe
Token: SeDebugPrivilege	5060	tasklist.exe
Token: SeDebugPrivilege	752	rat.exe
Token: SeDebugPrivilege	752	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

752 rat.exe

pid	process
752	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

TelegramRAT.execmd.exerat.exe

description	pid	process	target process
PID 1500 wrote to memory of 4328	1500	TelegramRAT.exe	schtasks.exe
PID 1500 wrote to memory of 4328	1500	TelegramRAT.exe	schtasks.exe
PID 1500 wrote to memory of 4996	1500	TelegramRAT.exe	cmd.exe
PID 1500 wrote to memory of 4996	1500	TelegramRAT.exe	cmd.exe
PID 4996 wrote to memory of 5060	4996	cmd.exe	tasklist.exe
PID 4996 wrote to memory of 5060	4996	cmd.exe	tasklist.exe
PID 4996 wrote to memory of 4464	4996	cmd.exe	find.exe
PID 4996 wrote to memory of 4464	4996	cmd.exe	find.exe
PID 4996 wrote to memory of 2924	4996	cmd.exe	timeout.exe
PID 4996 wrote to memory of 2924	4996	cmd.exe	timeout.exe
PID 4996 wrote to memory of 752	4996	cmd.exe	rat.exe
PID 4996 wrote to memory of 752	4996	cmd.exe	rat.exe
PID 752 wrote to memory of 2952	752	rat.exe	schtasks.exe
PID 752 wrote to memory of 2952	752	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB74A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB74A.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4464
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1500"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5060
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2924
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB74A.tmp.bat

Filesize
188B

MD5
90fe9accd9f6933c7dc8236f2b690667

SHA1
67daf35e832b59a67a3dd84fe86854462b97e928

SHA256
372270acf9c33afdb62d2e44325229c35029a2683a0279c01527003e3aacb9d5

SHA512
8c9c6802667cd0422ae5832adc494fe805e5860f9b1e0cadbff7619d947e51d418479f51f858a21c44ee6dd97ddb5cc035c4ff9f1452513d45405da8b25987c6

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
122174c5133057a13e9d1aaaadf080d1

SHA1
c07281383bd7755df09c8de90b599938686efeb9

SHA256
55d2ee012d4bc880210a63b0b9e10a31b65d58d2d341a0585806965c8030b519

SHA512
d3899e4e2c369a36d7edfb7f165b441943cde89be6ff7645e83c8638c5d35f65b58b960414eb3ff35c4a119fbe6a37c12d2767db8a270c8b0a854d584f292b9b

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
122174c5133057a13e9d1aaaadf080d1

SHA1
c07281383bd7755df09c8de90b599938686efeb9

SHA256
55d2ee012d4bc880210a63b0b9e10a31b65d58d2d341a0585806965c8030b519

SHA512
d3899e4e2c369a36d7edfb7f165b441943cde89be6ff7645e83c8638c5d35f65b58b960414eb3ff35c4a119fbe6a37c12d2767db8a270c8b0a854d584f292b9b

Download Submit
memory/752-11-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

Filesize
9.9MB

Download
memory/752-12-0x00000208E4000000-0x00000208E4010000-memory.dmp

Filesize
64KB

Download
memory/752-13-0x00000208E4000000-0x00000208E4010000-memory.dmp

Filesize
64KB

Download
memory/752-14-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

Filesize
9.9MB

Download
memory/752-15-0x00000208E4000000-0x00000208E4010000-memory.dmp

Filesize
64KB

Download
memory/1500-0-0x000001683EF50000-0x000001683EF72000-memory.dmp

Filesize
136KB

Download
memory/1500-1-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

Filesize
9.9MB

Download
memory/1500-2-0x000001683F320000-0x000001683F330000-memory.dmp

Filesize
64KB

Download
memory/1500-6-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads