toxiceye | 58e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375

General

Target

lib.exe
Size

1.2MB
MD5

d39f50f7840e788f9aabb6fc571b954b
SHA1

b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4
SHA256

58e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375
SHA512

dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce
SSDEEP

24576:+GhtNUS/L+lGr6T6beITFwVx3mpYkb1rNmFpEvu954SkIEN6yaJRq+:+GJR/qlK6gtTaVxSvyAuX4SknkRD

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot6834433996:AAGJy757LSjxghxJ7K6QegRWYUfoJwS7zOo/sendMessage?chat_id=1149368640

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2508 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

2272 rat.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2508 cmd.exe

pid	process
2508	cmd.exe

pid	process
2272	rat.exe

pid	process
2508	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

lib.exerat.exe

pid	process
3028	lib.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe
2272	rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3056 schtasks.exe
2660 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2492 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1700 tasklist.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

lib.exetasklist.exerat.exe

description pid process

Token: SeDebugPrivilege 3028 lib.exe
Token: SeDebugPrivilege 1700 tasklist.exe
Token: SeDebugPrivilege 2272 rat.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

lib.exerat.exe

pid process

3028 lib.exe
2272 rat.exe

pid	process
3056	schtasks.exe
2660	schtasks.exe

pid	process
2492	timeout.exe

pid	process
1700	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	3028	lib.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	2272	rat.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

lib.execmd.exerat.exe

description	pid	process	target process
PID 3028 wrote to memory of 3056	3028	lib.exe	schtasks.exe
PID 3028 wrote to memory of 3056	3028	lib.exe	schtasks.exe
PID 3028 wrote to memory of 3056	3028	lib.exe	schtasks.exe
PID 3028 wrote to memory of 3056	3028	lib.exe	schtasks.exe
PID 3028 wrote to memory of 2508	3028	lib.exe	cmd.exe
PID 3028 wrote to memory of 2508	3028	lib.exe	cmd.exe
PID 3028 wrote to memory of 2508	3028	lib.exe	cmd.exe
PID 3028 wrote to memory of 2508	3028	lib.exe	cmd.exe
PID 2508 wrote to memory of 1700	2508	cmd.exe	tasklist.exe
PID 2508 wrote to memory of 1700	2508	cmd.exe	tasklist.exe
PID 2508 wrote to memory of 1700	2508	cmd.exe	tasklist.exe
PID 2508 wrote to memory of 1700	2508	cmd.exe	tasklist.exe
PID 2508 wrote to memory of 2520	2508	cmd.exe	find.exe
PID 2508 wrote to memory of 2520	2508	cmd.exe	find.exe
PID 2508 wrote to memory of 2520	2508	cmd.exe	find.exe
PID 2508 wrote to memory of 2520	2508	cmd.exe	find.exe
PID 2508 wrote to memory of 2492	2508	cmd.exe	timeout.exe
PID 2508 wrote to memory of 2492	2508	cmd.exe	timeout.exe
PID 2508 wrote to memory of 2492	2508	cmd.exe	timeout.exe
PID 2508 wrote to memory of 2492	2508	cmd.exe	timeout.exe
PID 2508 wrote to memory of 2272	2508	cmd.exe	rat.exe
PID 2508 wrote to memory of 2272	2508	cmd.exe	rat.exe
PID 2508 wrote to memory of 2272	2508	cmd.exe	rat.exe
PID 2508 wrote to memory of 2272	2508	cmd.exe	rat.exe
PID 2272 wrote to memory of 2660	2272	rat.exe	schtasks.exe
PID 2272 wrote to memory of 2660	2272	rat.exe	schtasks.exe
PID 2272 wrote to memory of 2660	2272	rat.exe	schtasks.exe
PID 2272 wrote to memory of 2660	2272	rat.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\lib.exe
"C:\Users\Admin\AppData\Local\Temp\lib.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpACF2.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpACF2.tmp.bat
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\find.exe
    find ":"
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\tasklist.exe
    Tasklist /fi "PID eq 3028"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2492
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpACF2.tmp.bat

Filesize
180B

MD5
18c8923e877f737a46eeefb0351a75f1

SHA1
3fa887fc983df69c6366ea8a6b05fbab35062031

SHA256
9eb44c8ca55952edbdec8b0f54a81a4d75e072acc81be93ba73b02e6b5916c4e

SHA512
c7e6464ab447a71305ab75bf0a1115cec887aa13825112b7e07a5b2423fcb7f4e86991e4fbf1659eb28d7b8e262485ea48dff4d2464bf642b141dd4ff4d91f4b

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
1.2MB

MD5
d39f50f7840e788f9aabb6fc571b954b

SHA1
b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4

SHA256
58e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375

SHA512
dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
1.2MB

MD5
d39f50f7840e788f9aabb6fc571b954b

SHA1
b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4

SHA256
58e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375

SHA512
dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce

Download Submit
\Users\ToxicEye\rat.exe

Filesize
1.2MB

MD5
d39f50f7840e788f9aabb6fc571b954b

SHA1
b3a05caf1aa8b5767a9f84f57fd269ab0a7034f4

SHA256
58e05a5c06fdf6566e9b58805b90a33568a2a1e67fd973c9a95b4b8d3be1d375

SHA512
dd3dbb76b910f2f1e265dc68e7b12aa92e3fafc0839181fdd8ca800cbc39a7d57d57dd1316800358cff5d523643a61d57c4f695e1c598bf2bc21b494a3745fce

Download Submit
memory/2272-16-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2272-17-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-29-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-28-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-27-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-26-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-13-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-25-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-14-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-15-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2272-24-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-23-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-18-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-19-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2272-20-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2272-21-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2272-22-0x0000000000840000-0x0000000000BE4000-memory.dmp

Filesize
3.6MB

Download
memory/2508-11-0x0000000002050000-0x00000000023F4000-memory.dmp

Filesize
3.6MB

Download
memory/3028-6-0x0000000001210000-0x00000000015B4000-memory.dmp

Filesize
3.6MB

Download
memory/3028-0-0x0000000001210000-0x00000000015B4000-memory.dmp

Filesize
3.6MB

Download
memory/3028-2-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-1-0x0000000001210000-0x00000000015B4000-memory.dmp

Filesize
3.6MB

Download
memory/3028-3-0x0000000005C10000-0x0000000005C50000-memory.dmp

Filesize
256KB

Download
memory/3028-8-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads