toxiceye | 2aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff

General

Target

eb65763fbd4c28c3afac6d08ab63c318.exe
Size

900KB
MD5

eb65763fbd4c28c3afac6d08ab63c318
SHA1

9297b49103ab3beff2851a441b4458a58a986fcc
SHA256

2aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff
SHA512

3397ec9a0b04e8c43bfabe1fbf30894e4bd973a46488252e6223ad4e41c869c5bf08aa4194b5f492f90c489909819ec6ae1e8dafbeb226470416a16d557f6288
SSDEEP

12288:W22iNv4sjaq8c+6Rq0mHtRAex8AIb2IRzQqX2Su9Oqql6c+NnHIbwhgT16Ovl:R1usjatrgPeyNcqXMjqlxEH+wlO

Score

10^/10

toxiceye evasion rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot1912175024:AAFyX2DSTB35kTZDCQUzmiHwTx6F5gwOlaE/sendMessage?chat_id=1854909459

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

eb65763fbd4c28c3afac6d08ab63c318.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions eb65763fbd4c28c3afac6d08ab63c318.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

eb65763fbd4c28c3afac6d08ab63c318.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools eb65763fbd4c28c3afac6d08ab63c318.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	eb65763fbd4c28c3afac6d08ab63c318.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	eb65763fbd4c28c3afac6d08ab63c318.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eb65763fbd4c28c3afac6d08ab63c318.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eb65763fbd4c28c3afac6d08ab63c318.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eb65763fbd4c28c3afac6d08ab63c318.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

eb65763fbd4c28c3afac6d08ab63c318.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	eb65763fbd4c28c3afac6d08ab63c318.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	eb65763fbd4c28c3afac6d08ab63c318.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4464 schtasks.exe
2208 schtasks.exe
4876 schtasks.exe
2052 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2944 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4084 tasklist.exe

pid	process
4464	schtasks.exe
2208	schtasks.exe
4876	schtasks.exe
2052	schtasks.exe

pid	process
2944	timeout.exe

pid	process
4084	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe
"C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:2876
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4735.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe
  "{path}"
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.bat
    3⤵
    PID:3248
  - - C:\Windows\SysWOW64\find.exe
      find ":"
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\tasklist.exe
      Tasklist /fi "PID eq 2436"
      4⤵
      Enumerates processes with tasklist
      PID:4084
  - - C:\Windows\SysWOW64\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2944
  - - C:\Users\ToxicEye\rat.exe
      "rat.exe"
      4⤵
      PID:3324
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBFF.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:4876
    - - C:\Users\ToxicEye\rat.exe
        
        "{path}"
        5⤵
        
        PID:444
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2052
    - - C:\Users\ToxicEye\rat.exe
        
        "{path}"
        5⤵
        
        PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eb65763fbd4c28c3afac6d08ab63c318.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4735.tmp

Filesize
1KB

MD5
7f5c5c2e40c374c842b7424f2c54b0ca

SHA1
99201b442dc8b76a0edbe1444f9aff361f6a0f60

SHA256
032003840f68fdb8a7142b4c97946898c9d573f6d9903f8b9c07662a2634770f

SHA512
7ff4b63fde9dc756c0ecd5c0cd925ba86ae5b6d1a99cad6f430b6503017f2a6075695ec2c2d271994a38a54f1dd4d5158131589f082c6e8a7f58fb60af520351

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.bat

Filesize
209B

MD5
6be6eaffaeaa4ffecea9485d34edbf94

SHA1
4f10161b92c14aaae5b5059414f85648395f98a8

SHA256
ea55c64ecb1f751d51225cd6fa28842afc37b39e5f6927ea7a26fa1510196f92

SHA512
6ac854941ffec39d1a176742d147e6cc8308330b4966eb96e1704bdd6944e956989b67042eeeffa3183ad19131d66d08f440b868c48ac3b2d5b0ceaebaee4957

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
70KB

MD5
deeafa23984d09b28a24a5ce66c7ac2e

SHA1
b7ee18883151afb41dca7052ef0b8c05c5338c56

SHA256
645ed3f41fb0dad1d210e754959682f43d5adc169b688948bf3df46f505c1cb6

SHA512
99f1c9e6a01c979e248eaacda1c1bcb3ff6e1a94d57a024b0b42c3c766f1a00b9c476f4c6df4027774f0048b45a4d94231728e8047f0977c1e7b235ea52404e8

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
79KB

MD5
22e195c9bfe7f705337f128690a9360b

SHA1
eeb29d2759ac5f0c6054f8e48586ce957ccd0aca

SHA256
6cb167ce3aacadefe0a85438b432e87d70e86dc9bb4643ec4a8bfe4a656138af

SHA512
4a092bb4c485955fa214479f538e477305fb54f6ba133729a076eecdb51347be03627181da464c3e76dfc5ae5a6231d9911f3f548b67e92c5a9a124cd03b1d09

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
90KB

MD5
25570e48a2a602ad729898ad976903a4

SHA1
718ec4cefbe198830e98c6fca0679d2b8076ac71

SHA256
5f6b305f5a2c2f542ccfced74b152da9e39d3a16da87349dae6ea486994d17c5

SHA512
d6deb1e1deca43cb9da4542991e63b060aaae13cb9dde4b27d760b2647bdfbc6ab3fa5087c98464fd6b21303361bca230a6ed38aa79e78b1ec6bdfa725c7cef4

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
149KB

MD5
8088252b9ac97aa2c57077021113e5eb

SHA1
2409f89e2e0523ea0874ac9f4883bbf0f91770b4

SHA256
ac1aaf210d996cf01ccc62fd0a68e97e4d7c64b53dd2e4db8890de6d2b8f9dff

SHA512
86f22252c17e3e9d46d601a7a9e8ff31e13ca2d24d2354bc01200901b06cb75f78c0c9a9f23b0dd2c1ece72cc0bebe5d6adc3a8eb7672675d97e40fa02d3fefe

Download Submit
memory/444-44-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/444-42-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/444-41-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/444-43-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/444-45-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/444-46-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/2436-21-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2436-20-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2436-25-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2436-16-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2876-9-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/2876-19-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2876-12-0x000000000DC40000-0x000000000DCA6000-memory.dmp

Filesize
408KB

Download
memory/2876-11-0x000000000ABD0000-0x000000000AC3A000-memory.dmp

Filesize
424KB

Download
memory/2876-10-0x0000000008680000-0x0000000008738000-memory.dmp

Filesize
736KB

Download
memory/2876-0-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2876-1-0x0000000000E10000-0x0000000000EF6000-memory.dmp

Filesize
920KB

Download
memory/2876-5-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/2876-2-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/2876-3-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/2876-8-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2876-4-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/2876-7-0x0000000006CC0000-0x0000000006D5C000-memory.dmp

Filesize
624KB

Download
memory/2876-6-0x0000000005C90000-0x0000000005C98000-memory.dmp

Filesize
32KB

Download
memory/3324-29-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-40-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-32-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download
memory/3324-31-0x0000000075330000-0x0000000075AE0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-30-0x0000000005270000-0x0000000005280000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads