Malware Analysis Report

2024-08-06 11:58

Sample ID 231111-rlegtage4w
Target NEAS.6859b388a9d83d02a57f5081a74acad0.exe
SHA256 36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193
Tags
toxiceye rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193

Threat Level: Known bad

The file NEAS.6859b388a9d83d02a57f5081a74acad0.exe was found to be: Known bad.

Malicious Activity Summary

toxiceye rat trojan

ToxicEye

Toxiceye family

Deletes itself

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates processes with tasklist

Delays execution with timeout.exe

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Process Discovery
T1057
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-11-11 14:16

Signatures

Toxiceye family

toxiceye

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 14:16

Reported

2023-11-11 14:19

Platform

win7-20231020-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe"

Signatures

ToxicEye

rat trojan toxiceye

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\ToxicEye\rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\schtasks.exe
PID 2212 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\schtasks.exe
PID 2212 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\schtasks.exe
PID 2212 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 2984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2768 wrote to memory of 2984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2768 wrote to memory of 2984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2768 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2768 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2768 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2768 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2768 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2768 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2768 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2768 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2768 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2768 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2768 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2768 wrote to memory of 2592 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2768 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2768 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2768 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2768 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Users\ToxicEye\rat.exe
PID 2768 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Users\ToxicEye\rat.exe
PID 2768 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Users\ToxicEye\rat.exe
PID 2932 wrote to memory of 788 N/A C:\Users\ToxicEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2932 wrote to memory of 788 N/A C:\Users\ToxicEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2932 wrote to memory of 788 N/A C:\Users\ToxicEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2932 wrote to memory of 1692 N/A C:\Users\ToxicEye\rat.exe C:\Windows\system32\WerFault.exe
PID 2932 wrote to memory of 1692 N/A C:\Users\ToxicEye\rat.exe C:\Windows\system32\WerFault.exe
PID 2932 wrote to memory of 1692 N/A C:\Users\ToxicEye\rat.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCFAE.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCFAE.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2212"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2212"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\ToxicEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2932 -s 1640

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2212-0-0x0000000000E40000-0x0000000000E62000-memory.dmp

memory/2212-1-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/2212-2-0x0000000000480000-0x0000000000500000-memory.dmp

memory/2212-4-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

memory/2212-5-0x0000000000480000-0x0000000000500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCFAE.tmp.bat

MD5 ea3ba35083307ec10f36dbf41b584ad8
SHA1 a3f07cc69ac75649e12237a2f728129fbe7a40d7
SHA256 53ba3bde9b18b519d2f3a0c908d233719979d567acfc2dd938c9c8b6accadeea
SHA512 af9dcd8c19b7ef42e511b9b311789dfa947f4fa3962ec4a88ef8e1056a94ea2d965b4349f8858c9251462b2644f0aca5a89d065e0d41c4a589f3bddc5954bdc6

memory/2212-8-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

C:\Users\ToxicEye\rat.exe

MD5 6859b388a9d83d02a57f5081a74acad0
SHA1 c48b9ace80cd328210f7d630eb3655339977eb1e
SHA256 36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193
SHA512 45a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd

C:\Users\ToxicEye\rat.exe

MD5 6859b388a9d83d02a57f5081a74acad0
SHA1 c48b9ace80cd328210f7d630eb3655339977eb1e
SHA256 36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193
SHA512 45a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd

memory/2932-12-0x0000000000880000-0x00000000008A2000-memory.dmp

memory/2932-13-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

memory/2932-14-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-11 14:16

Reported

2023-11-11 14:19

Platform

win10v2004-20231023-en

Max time kernel

9s

Max time network

15s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe"

Signatures

ToxicEye

rat trojan toxiceye

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation C:\Users\ToxicEye\rat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A
N/A N/A C:\Users\ToxicEye\rat.exe N/A
N/A N/A C:\Users\ToxicEye\rat.exe N/A
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\ToxicEye\rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\schtasks.exe
PID 4404 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\schtasks.exe
PID 4404 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\cmd.exe
PID 4404 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe C:\Windows\System32\cmd.exe
PID 4400 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4400 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4400 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4400 wrote to memory of 2328 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4400 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4400 wrote to memory of 2060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4400 wrote to memory of 4200 N/A C:\Windows\System32\cmd.exe C:\Users\ToxicEye\rat.exe
PID 4400 wrote to memory of 4200 N/A C:\Windows\System32\cmd.exe C:\Users\ToxicEye\rat.exe
PID 4200 wrote to memory of 4132 N/A C:\Users\ToxicEye\rat.exe C:\Windows\System32\schtasks.exe
PID 4200 wrote to memory of 4132 N/A C:\Users\ToxicEye\rat.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.6859b388a9d83d02a57f5081a74acad0.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 4404"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\ToxicEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp

Files

memory/4404-0-0x000001BF13190000-0x000001BF131B2000-memory.dmp

memory/4404-1-0x00007FFFDB5E0000-0x00007FFFDC0A1000-memory.dmp

memory/4404-2-0x000001BF13560000-0x000001BF13570000-memory.dmp

memory/4404-6-0x00007FFFDB5E0000-0x00007FFFDC0A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFCCF.tmp.bat

MD5 631ac90ed63e0c3f8cfdee78cfd66106
SHA1 75ef408fa599ad5de8b83085c542a798a1c21705
SHA256 a20cc728fc223ac597ee079d39d9248274e91e28a0401df928907e4342e670c6
SHA512 08faf8e86cac70fbd6b1ea775d336462493a7e33aae339fd9c98155ffd8e51b18b5c4f54c5de9c7236703dcad1a6dffe8bec93f1ad118d02df010044a07c2bc8

C:\Users\ToxicEye\rat.exe

MD5 6859b388a9d83d02a57f5081a74acad0
SHA1 c48b9ace80cd328210f7d630eb3655339977eb1e
SHA256 36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193
SHA512 45a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd

C:\Users\ToxicEye\rat.exe

MD5 6859b388a9d83d02a57f5081a74acad0
SHA1 c48b9ace80cd328210f7d630eb3655339977eb1e
SHA256 36ea141e35ff3647e1d25f3f7aaa52dafb9bfb387ddb702fa85d5dc7d8312193
SHA512 45a20fee79100ef0e22d69bf99ab6df46e8c054dde80855743b2d43dbcf5266ff26a1246de03061cbcaf0504e11f079f585267439400250bcf2d7e6c3ef1f1dd

memory/4200-11-0x00007FFFCEE90000-0x00007FFFCF951000-memory.dmp

memory/4200-12-0x0000027641970000-0x0000027641980000-memory.dmp