Analysis Overview
SHA256
2aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff
Threat Level: Known bad
The file eb65763fbd4c28c3afac6d08ab63c318 was found to be: Known bad.
Malicious Activity Summary
ToxicEye
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Loads dropped DLL
Checks BIOS information in registry
Deletes itself
Executes dropped EXE
Maps connected drives based on registry
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-12-28 17:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-28 17:15
Reported
2024-01-09 14:23
Platform
win7-20231215-en
Max time kernel
124s
Max time network
124s
Command Line
Signatures
ToxicEye
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions | C:\Users\ToxicEye\rat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools | C:\Users\ToxicEye\rat.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\ToxicEye\rat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\ToxicEye\rat.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\ToxicEye\rat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\ToxicEye\rat.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2224 set thread context of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe |
| PID 472 set thread context of 1900 | N/A | C:\Users\ToxicEye\rat.exe | C:\Users\ToxicEye\rat.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\ToxicEye\rat.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\ToxicEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\ToxicEye\rat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\ToxicEye\rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe
"C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEEF.tmp"
C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
C:\Windows\SysWOW64\find.exe
find ":"
C:\Windows\SysWOW64\tasklist.exe
Tasklist /fi "PID eq 2968"
C:\Windows\SysWOW64\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp19B8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp19B8.tmp.bat
C:\Users\ToxicEye\rat.exe
"rat.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD5D.tmp"
C:\Users\ToxicEye\rat.exe
"{path}"
C:\Users\ToxicEye\rat.exe
"{path}"
C:\Users\ToxicEye\rat.exe
"{path}"
C:\Users\ToxicEye\rat.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2224-0-0x0000000001240000-0x0000000001326000-memory.dmp
memory/2224-1-0x0000000073E10000-0x00000000744FE000-memory.dmp
memory/2224-2-0x0000000004B00000-0x0000000004B40000-memory.dmp
memory/2224-3-0x0000000000370000-0x0000000000378000-memory.dmp
memory/2224-4-0x0000000073E10000-0x00000000744FE000-memory.dmp
memory/2224-5-0x0000000004B00000-0x0000000004B40000-memory.dmp
memory/2224-6-0x0000000008130000-0x00000000081E8000-memory.dmp
memory/2224-7-0x0000000005310000-0x000000000537A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEEF.tmp
| MD5 | 38026000b766d61d0a1320a70d67220c |
| SHA1 | c1be39e6e472b587c6d95a982567a7af4ec07182 |
| SHA256 | daa4ef0dec32c64c0643c2f98e428936ea29adacf6ec1d5aec25e77b3e021c41 |
| SHA512 | 6af9196d119e2af87c6796495062ea70386799b4a07e96ce08fb3ce699502519b7f6af85100ead344315087682fbac47aa8a22618cc5b3f5f69710d867cba591 |
memory/2968-11-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-13-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-15-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-14-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2968-18-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2224-20-0x0000000073E10000-0x00000000744FE000-memory.dmp
memory/2968-21-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-23-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2968-24-0x0000000073E10000-0x00000000744FE000-memory.dmp
memory/2968-25-0x0000000004D80000-0x0000000004DC0000-memory.dmp
memory/2968-29-0x0000000073E10000-0x00000000744FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp19B8.tmp.bat
| MD5 | 62218b9fe94739f7cea468f7abc79d0b |
| SHA1 | 900ac0e245cbab37c1d216c6a6f9d94dcbb9cea8 |
| SHA256 | 80990e9e6fb7c64e106d515c451e93c5d1ccccc52388920a27ebbc9a0c1a0462 |
| SHA512 | 7dd8adf235253efe0912c0cc5f653d9124467a189835f93908e0824b9fce59e57e7a475a168f20c855a2bac00c2637f7119b5172b6a82c9acbd2a7a9d8a227bb |
C:\Users\ToxicEye\rat.exe
| MD5 | 910752bd19268a83afec169360b37abe |
| SHA1 | 9090050b79e7c6ecc62d66aa8e210e4d27d60b04 |
| SHA256 | f8d9f728b9649e6a8bfa4a16bb833106e8175d81a19522de08409e0614d3c86d |
| SHA512 | 93b92807c260b0a08eeeecb844cd9807bd1827966d280fc25532fb03f9f8706d3387ef66ff761367ae6005094cec98450d354c1d01d0607318ecef45b60acc36 |
C:\Users\ToxicEye\rat.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/472-34-0x0000000072E30000-0x000000007351E000-memory.dmp
memory/472-35-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/472-33-0x00000000000E0000-0x00000000001C6000-memory.dmp
\Users\ToxicEye\rat.exe
| MD5 | d50b34496546f10f6284a6588bddc658 |
| SHA1 | 9f71f937623adeb2cb94eed844020585c3ea5c37 |
| SHA256 | 44bab0aa8cc24e426d11c6f87702c40a19431c721443faa8658e70af07cb9cb8 |
| SHA512 | 3c2f37308cccf04d9b5ab26eb1f95a3f29012fb992e628a6a8537cd1dffc254b048c02ac29c493b7cf4c96f9ca595f68cad90a0bcb3dd1d423ea74c44bebeccd |
memory/472-36-0x0000000072E30000-0x000000007351E000-memory.dmp
memory/472-37-0x0000000004B60000-0x0000000004BA0000-memory.dmp
C:\Users\ToxicEye\rat.exe
| MD5 | 7a9308a7e394a0f5da966fa85f61e295 |
| SHA1 | f7d48ece58bbe0d7f31b51176d44d2d42e81f5de |
| SHA256 | b63af1489f3e3b2abee884ebfd968c85afbf2ab220a1e3fff69133fde54242df |
| SHA512 | a4f04f8ac03be20f9925f8a51b0f4d50fafeeed5441405e0798baecefb0835600e6df88edf0195a3d846e2b06e85c5a918a8e5c38e79e32869264b9dd2ac31ed |
C:\Users\ToxicEye\rat.exe
| MD5 | eb65763fbd4c28c3afac6d08ab63c318 |
| SHA1 | 9297b49103ab3beff2851a441b4458a58a986fcc |
| SHA256 | 2aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff |
| SHA512 | 3397ec9a0b04e8c43bfabe1fbf30894e4bd973a46488252e6223ad4e41c869c5bf08aa4194b5f492f90c489909819ec6ae1e8dafbeb226470416a16d557f6288 |
memory/1900-54-0x0000000000400000-0x0000000000422000-memory.dmp
memory/1900-56-0x0000000072E30000-0x000000007351E000-memory.dmp
memory/472-55-0x0000000072E30000-0x000000007351E000-memory.dmp
memory/1900-57-0x0000000004A30000-0x0000000004A70000-memory.dmp
memory/1900-52-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\ToxicEye\rat.exe
| MD5 | 08b11113dfeecc5c27c0c2468ee27faf |
| SHA1 | 00611cbaf6e92f6390b710fcdaf9ce3fa7a2f0d4 |
| SHA256 | 128e0036b03ecf773f869734fbc21a43289d0dd4e89908c2ef1c6ad10dc60c8b |
| SHA512 | 0d6664a7e5efc1033a9fa63df264d437024f5f74ae28cd35be9253b524307c59e44917b5780e1b32360f30f5564d3c7e5791edc532540735a0f7e99bd9f7bb85 |
memory/1900-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\ToxicEye\rat.exe
| MD5 | 3d3a737be1118b36bbff9ed4cb6f8e6b |
| SHA1 | 11e9f5e374bc7a4f6053464d9d1dc9d40428d576 |
| SHA256 | d1caf08afe43bde12d5b078e96a269329ceeec3a6cae86653427d0a13f608932 |
| SHA512 | fd24359d3aeb94d86348c3ac36fe10fa37088767aa4c3401e9498bf14845da53c0d2e8465e19a3baa70a3f5a0672dac6038a043dfb11c76f985139d4198781dc |
\Users\ToxicEye\rat.exe
| MD5 | da51c6846c95fbb1b7bfa509784e099b |
| SHA1 | f1bd16de283107f31ca96fdca48cffe15c417afc |
| SHA256 | 8ae068ba172a766431f1834353e4335aae2843b86e17720a20003bd83b41eda6 |
| SHA512 | 3e0c1d3a5512dacc2a9ce1d8b1840c1de0512279dd5eb75478c55643419527a544ef9e2df99677e5f0e00940beb16f07e147c55d03a4d5654bff5c84e0c99b80 |
\Users\ToxicEye\rat.exe
| MD5 | c0ef5b0ee63da61b23b02cb4bad85300 |
| SHA1 | d5e1481c9370a6e455e5e69b1ba2aaf1671b19c2 |
| SHA256 | 01b6ff4db8b74ab3714fa82da8c414572b98ecf891a379b41f93b97ddeaef7c5 |
| SHA512 | 0c778a8e2cf810ef82932e6a9be8ba314f7ef565b47c57f88621f9e6d13819a58abef02c5857b0fed7f8f3ce26e7ea6528c2dd9cfe0f71d98e275d87ec035285 |
\Users\ToxicEye\rat.exe
| MD5 | bc3881667c887328151a584ee711cfc5 |
| SHA1 | 580e06c2ee4b55934a3be1252b388dbc57b418a4 |
| SHA256 | 082859d1710f53dd52eac4f293ddd3937094735562569356d8159db270216ccc |
| SHA512 | 5ac2a00b3ba8d92f859e3aacb14f3ba69e9481712b3f2cc5461b2fca336cefd90ab8cce149e7b1fb1b60093cd391bf602d3ba6f13c9e666e4393023d037c0900 |
\Users\ToxicEye\rat.exe
| MD5 | 1cad459e71649c3a3a8dafeb0fc0c011 |
| SHA1 | efd1c9ff05d188dc9abb77f6e94b877c5551bebe |
| SHA256 | ae8cfaf023cde47583e6ddfb4cbe04c45368d579ce743a0890a1edf6664c2317 |
| SHA512 | f38eaf8b6984227231b37a21a51f27303db7ee830051116635f01dab4fd698de0e1e50a9e1e855f20d9c9de332834baadba28e4d9aa6b09b29377bf8c8378c06 |
memory/1900-63-0x0000000072E30000-0x000000007351E000-memory.dmp
memory/1900-64-0x0000000004A30000-0x0000000004A70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-28 17:15
Reported
2024-01-09 14:23
Platform
win10v2004-20231215-en
Max time kernel
56s
Max time network
154s
Command Line
Signatures
ToxicEye
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe
"C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4735.tmp"
C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.bat
C:\Windows\SysWOW64\find.exe
find ":"
C:\Windows\SysWOW64\tasklist.exe
Tasklist /fi "PID eq 2436"
C:\Windows\SysWOW64\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\ToxicEye\rat.exe
"rat.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBFF.tmp"
C:\Users\ToxicEye\rat.exe
"{path}"
C:\Users\ToxicEye\rat.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | tcp | |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
memory/2876-0-0x0000000075330000-0x0000000075AE0000-memory.dmp
memory/2876-1-0x0000000000E10000-0x0000000000EF6000-memory.dmp
memory/2876-2-0x0000000005E70000-0x0000000006414000-memory.dmp
memory/2876-3-0x0000000005960000-0x00000000059F2000-memory.dmp
memory/2876-4-0x0000000005920000-0x0000000005930000-memory.dmp
memory/2876-5-0x00000000058F0000-0x00000000058FA000-memory.dmp
memory/2876-6-0x0000000005C90000-0x0000000005C98000-memory.dmp
memory/2876-7-0x0000000006CC0000-0x0000000006D5C000-memory.dmp
memory/2876-8-0x0000000075330000-0x0000000075AE0000-memory.dmp
memory/2876-9-0x0000000005920000-0x0000000005930000-memory.dmp
memory/2876-10-0x0000000008680000-0x0000000008738000-memory.dmp
memory/2876-11-0x000000000ABD0000-0x000000000AC3A000-memory.dmp
memory/2876-12-0x000000000DC40000-0x000000000DCA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4735.tmp
| MD5 | 7f5c5c2e40c374c842b7424f2c54b0ca |
| SHA1 | 99201b442dc8b76a0edbe1444f9aff361f6a0f60 |
| SHA256 | 032003840f68fdb8a7142b4c97946898c9d573f6d9903f8b9c07662a2634770f |
| SHA512 | 7ff4b63fde9dc756c0ecd5c0cd925ba86ae5b6d1a99cad6f430b6503017f2a6075695ec2c2d271994a38a54f1dd4d5158131589f082c6e8a7f58fb60af520351 |
memory/2876-19-0x0000000075330000-0x0000000075AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eb65763fbd4c28c3afac6d08ab63c318.exe.log
| MD5 | e08f822522c617a40840c62e4b0fb45e |
| SHA1 | ae516dca4da5234be6676d3f234c19ec55725be7 |
| SHA256 | bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7 |
| SHA512 | 894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4 |
memory/2436-16-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2436-20-0x0000000075330000-0x0000000075AE0000-memory.dmp
memory/2436-21-0x0000000005050000-0x0000000005060000-memory.dmp
memory/2436-25-0x0000000075330000-0x0000000075AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.bat
| MD5 | 6be6eaffaeaa4ffecea9485d34edbf94 |
| SHA1 | 4f10161b92c14aaae5b5059414f85648395f98a8 |
| SHA256 | ea55c64ecb1f751d51225cd6fa28842afc37b39e5f6927ea7a26fa1510196f92 |
| SHA512 | 6ac854941ffec39d1a176742d147e6cc8308330b4966eb96e1704bdd6944e956989b67042eeeffa3183ad19131d66d08f440b868c48ac3b2d5b0ceaebaee4957 |
C:\Users\ToxicEye\rat.exe
| MD5 | 22e195c9bfe7f705337f128690a9360b |
| SHA1 | eeb29d2759ac5f0c6054f8e48586ce957ccd0aca |
| SHA256 | 6cb167ce3aacadefe0a85438b432e87d70e86dc9bb4643ec4a8bfe4a656138af |
| SHA512 | 4a092bb4c485955fa214479f538e477305fb54f6ba133729a076eecdb51347be03627181da464c3e76dfc5ae5a6231d9911f3f548b67e92c5a9a124cd03b1d09 |
memory/3324-29-0x0000000075330000-0x0000000075AE0000-memory.dmp
memory/3324-30-0x0000000005270000-0x0000000005280000-memory.dmp
C:\Users\ToxicEye\rat.exe
| MD5 | deeafa23984d09b28a24a5ce66c7ac2e |
| SHA1 | b7ee18883151afb41dca7052ef0b8c05c5338c56 |
| SHA256 | 645ed3f41fb0dad1d210e754959682f43d5adc169b688948bf3df46f505c1cb6 |
| SHA512 | 99f1c9e6a01c979e248eaacda1c1bcb3ff6e1a94d57a024b0b42c3c766f1a00b9c476f4c6df4027774f0048b45a4d94231728e8047f0977c1e7b235ea52404e8 |
memory/3324-31-0x0000000075330000-0x0000000075AE0000-memory.dmp
memory/3324-32-0x0000000005270000-0x0000000005280000-memory.dmp
C:\Users\ToxicEye\rat.exe
| MD5 | 8088252b9ac97aa2c57077021113e5eb |
| SHA1 | 2409f89e2e0523ea0874ac9f4883bbf0f91770b4 |
| SHA256 | ac1aaf210d996cf01ccc62fd0a68e97e4d7c64b53dd2e4db8890de6d2b8f9dff |
| SHA512 | 86f22252c17e3e9d46d601a7a9e8ff31e13ca2d24d2354bc01200901b06cb75f78c0c9a9f23b0dd2c1ece72cc0bebe5d6adc3a8eb7672675d97e40fa02d3fefe |
memory/3324-40-0x0000000075330000-0x0000000075AE0000-memory.dmp
memory/444-42-0x0000000005910000-0x0000000005920000-memory.dmp
memory/444-41-0x0000000075330000-0x0000000075AE0000-memory.dmp
C:\Users\ToxicEye\rat.exe
| MD5 | 25570e48a2a602ad729898ad976903a4 |
| SHA1 | 718ec4cefbe198830e98c6fca0679d2b8076ac71 |
| SHA256 | 5f6b305f5a2c2f542ccfced74b152da9e39d3a16da87349dae6ea486994d17c5 |
| SHA512 | d6deb1e1deca43cb9da4542991e63b060aaae13cb9dde4b27d760b2647bdfbc6ab3fa5087c98464fd6b21303361bca230a6ed38aa79e78b1ec6bdfa725c7cef4 |
memory/444-43-0x0000000005910000-0x0000000005920000-memory.dmp
memory/444-44-0x0000000075330000-0x0000000075AE0000-memory.dmp
memory/444-45-0x0000000005910000-0x0000000005920000-memory.dmp
memory/444-46-0x0000000005910000-0x0000000005920000-memory.dmp