toxiceye | 36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193

General

Target

NEAS.6859b388a9d83d02a57f5081a74acad0.exe
Size

111KB
MD5

6859b388a9d83d02a57f5081a74acad0
SHA1

c48b9ace80cd328210f7d630eb3655339977eb1e
SHA256

36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193
SHA512

45a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd
SSDEEP

1536:B+bAQRcW6FSM91qQIwiOFJlRxMD029+DVe+bhDqI64QWezCrAZujV6D1:UbTcWWSJOzlPOqbxqH4QWezCrAZujA1

Score

10^/10

toxiceye rat trojan

Malware Config

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEAS.6859b388a9d83d02a57f5081a74acad0.exerat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.6859b388a9d83d02a57f5081a74acad0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

4200 rat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4396 schtasks.exe
4132 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2060 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4648 tasklist.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid process

4200 rat.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rat.exe

pid process

4200 rat.exe
4200 rat.exe
4200 rat.exe
4200 rat.exe

pid	process
4200	rat.exe

pid	process
4396	schtasks.exe
4132	schtasks.exe

pid	process
2060	timeout.exe

pid	process
4648	tasklist.exe

pid	process
4200	rat.exe

pid	process
4200	rat.exe
4200	rat.exe
4200	rat.exe
4200	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

NEAS.6859b388a9d83d02a57f5081a74acad0.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	4404	NEAS.6859b388a9d83d02a57f5081a74acad0.exe
Token: SeDebugPrivilege	4648	tasklist.exe
Token: SeDebugPrivilege	4200	rat.exe
Token: SeDebugPrivilege	4200	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

4200 rat.exe

pid	process
4200	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

NEAS.6859b388a9d83d02a57f5081a74acad0.execmd.exerat.exe

description	pid	process	target process
PID 4404 wrote to memory of 4396	4404	NEAS.6859b388a9d83d02a57f5081a74acad0.exe	schtasks.exe
PID 4404 wrote to memory of 4396	4404	NEAS.6859b388a9d83d02a57f5081a74acad0.exe	schtasks.exe
PID 4404 wrote to memory of 4400	4404	NEAS.6859b388a9d83d02a57f5081a74acad0.exe	cmd.exe
PID 4404 wrote to memory of 4400	4404	NEAS.6859b388a9d83d02a57f5081a74acad0.exe	cmd.exe
PID 4400 wrote to memory of 4648	4400	cmd.exe	tasklist.exe
PID 4400 wrote to memory of 4648	4400	cmd.exe	tasklist.exe
PID 4400 wrote to memory of 2328	4400	cmd.exe	find.exe
PID 4400 wrote to memory of 2328	4400	cmd.exe	find.exe
PID 4400 wrote to memory of 2060	4400	cmd.exe	timeout.exe
PID 4400 wrote to memory of 2060	4400	cmd.exe	timeout.exe
PID 4400 wrote to memory of 4200	4400	cmd.exe	rat.exe
PID 4400 wrote to memory of 4200	4400	cmd.exe	rat.exe
PID 4200 wrote to memory of 4132	4200	rat.exe	schtasks.exe
PID 4200 wrote to memory of 4132	4200	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4404"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2328
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2060
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat

Filesize
214B

MD5
631ac90ed63e0c3f8cfdee78cfd66106

SHA1
75ef408fa599ad5de8b83085c542a798a1c21705

SHA256
a20cc728fc223ac597ee079d39d9248274e91e28a0401df928907e4342e670c6

SHA512
08faf8e86cac70fbd6b1ea775d336462493a7e33aae339fd9c98155ffd8e51b18b5c4f54c5de9c7236703dcad1a6dffe8bec93f1ad118d02df010044a07c2bc8

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
6859b388a9d83d02a57f5081a74acad0

SHA1
c48b9ace80cd328210f7d630eb3655339977eb1e

SHA256
36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193

SHA512
45a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
6859b388a9d83d02a57f5081a74acad0

SHA1
c48b9ace80cd328210f7d630eb3655339977eb1e

SHA256
36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193

SHA512
45a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd

Download Submit
memory/4200-11-0x00007FFFCEE90000-0x00007FFFCF951000-memory.dmp

Filesize
10.8MB

Download
memory/4200-12-0x0000027641970000-0x0000027641980000-memory.dmp

Filesize
64KB

Download
memory/4404-0-0x000001BF13190000-0x000001BF131B2000-memory.dmp

Filesize
136KB

Download
memory/4404-1-0x00007FFFDB5E0000-0x00007FFFDC0A1000-memory.dmp

Filesize
10.8MB

Download
memory/4404-2-0x000001BF13560000-0x000001BF13570000-memory.dmp

Filesize
64KB

Download
memory/4404-6-0x00007FFFDB5E0000-0x00007FFFDC0A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads