toxiceye | 2aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff

General

Target

eb65763fbd4c28c3afac6d08ab63c318.exe
Size

900KB
MD5

eb65763fbd4c28c3afac6d08ab63c318
SHA1

9297b49103ab3beff2851a441b4458a58a986fcc
SHA256

2aebd9a1bc61ad562d8f8e1115cf21247281b3f5e5ab41305406c5bdc7c4b0ff
SHA512

3397ec9a0b04e8c43bfabe1fbf30894e4bd973a46488252e6223ad4e41c869c5bf08aa4194b5f492f90c489909819ec6ae1e8dafbeb226470416a16d557f6288
SSDEEP

12288:W22iNv4sjaq8c+6Rq0mHtRAex8AIb2IRzQqX2Su9Oqql6c+NnHIbwhgT16Ovl:R1usjatrgPeyNcqXMjqlxEH+wlO

Score

10^/10

toxiceye evasion rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot1912175024:AAFyX2DSTB35kTZDCQUzmiHwTx6F5gwOlaE/sendMessage?chat_id=1854909459

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

eb65763fbd4c28c3afac6d08ab63c318.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions eb65763fbd4c28c3afac6d08ab63c318.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

eb65763fbd4c28c3afac6d08ab63c318.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools eb65763fbd4c28c3afac6d08ab63c318.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	eb65763fbd4c28c3afac6d08ab63c318.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	eb65763fbd4c28c3afac6d08ab63c318.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eb65763fbd4c28c3afac6d08ab63c318.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eb65763fbd4c28c3afac6d08ab63c318.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eb65763fbd4c28c3afac6d08ab63c318.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

eb65763fbd4c28c3afac6d08ab63c318.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	eb65763fbd4c28c3afac6d08ab63c318.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	eb65763fbd4c28c3afac6d08ab63c318.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1012 564 WerFault.exe rat.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

540 schtasks.exe
1776 schtasks.exe
1568 schtasks.exe
2636 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1756 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1328 tasklist.exe

pid	pid_target	process	target process
1012	564	WerFault.exe	rat.exe

pid	process
540	schtasks.exe
1776	schtasks.exe
1568	schtasks.exe
2636	schtasks.exe

pid	process
1756	timeout.exe

pid	process
1328	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe
"C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:1404
- C:\Users\Admin\AppData\Local\Temp\eb65763fbd4c28c3afac6d08ab63c318.exe
  "{path}"
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB70F.tmp.bat
    3⤵
    PID:2832
  - - C:\Users\ToxicEye\rat.exe
      "rat.exe"
      4⤵
      PID:1824
    - - C:\Users\ToxicEye\rat.exe
        
        "{path}"
        5⤵
        
        PID:564
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1776
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1680
        6⤵
        Program crash
        
        PID:1012
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F01.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:540
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgQtVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2DB.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1568

C:\Windows\SysWOW64\find.exe
find ":"
1⤵
PID:1072

C:\Windows\SysWOW64\timeout.exe
Timeout /T 1 /Nobreak
1⤵
- Delays execution with timeout.exe
PID:1756

C:\Windows\SysWOW64\tasklist.exe
Tasklist /fi "PID eq 2744"
1⤵
- Enumerates processes with tasklist
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB2DB.tmp

Filesize
1KB

MD5
9072303221755fd067bb9d00e994cb94

SHA1
eeeaa7ae90d696f1c2aacc305daf15a782960ea2

SHA256
a02346e6436db4b3e8a4bd9667d08c9c8146ec2476922a2e049ec362622e329d

SHA512
a29a9e95fee73700aecbd45607735040436621a7adff39b5ad92fd63afb4281be4a7baca49b049f11a5c5b8fc8cb41565f7645ac929e3a7a8981a5f9bedbd49f

Download Submit
\Users\ToxicEye\rat.exe

Filesize
59KB

MD5
ff2953f85f4a2d44212682e743e4f7da

SHA1
e582fa2d7cd2a17332b0265311685755a28003c2

SHA256
60d3d1bf2d8632c7d2dee02e7d85d9c82072dd5d2422ce6ac810a2bca7e6be94

SHA512
ca53a93b07e6576ad8949a96781dd73989e0b7e0bf1a07b7f37915076d8562c8ade3b75d2237fce55d35984f96eb4b370f7968fd4bb247a05567a5db81bf3af0

Download Submit
\Users\ToxicEye\rat.exe

Filesize
44KB

MD5
38479017c9fb0a738a182954edcf2d80

SHA1
abeaf26bdbb551700bf12f30b68fee3ab7ad2245

SHA256
cf21bf746570d006212813ff5574fa0198c1683533094b5c1567d50ef092cb80

SHA512
c44df130f8e3d7f7063c751471b61d3f894f8536781eae195f7bd29b6c9a45684e4c80808a556cc794c7b61a271dac2bb02b7c61cefcd1c279c2728ca393060a

Download Submit
\Users\ToxicEye\rat.exe

Filesize
70KB

MD5
a4988be0da8ec3df4b9fc4f0034dbb3c

SHA1
ae683e9d9149589ed886ef98bb4df5990a7b13b6

SHA256
c24399c2ebd9c11f842a1a31415a560ecde1e0fa88b3e2a3481e40a69cdefed9

SHA512
97f16d576f171a392c8b014cc7aa3b09a597c2ec16891591d0016ac628efe07148c942d315054c97cc106b3390e1f89d3a9964fbf96dc5c0426a5c00d25de21d

Download Submit
\Users\ToxicEye\rat.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\ToxicEye\rat.exe

Filesize
28KB

MD5
032b5a7717ff917eb8d4f34516f5fa7f

SHA1
8a44735d764311f748cbff5cdd6fef21a44c30d6

SHA256
06600b30a9ba1e9e6342a64dcaeaf7b630d8cf17558f608734cf25398c45a237

SHA512
b16149cdefe39c698b8a13319911bebcae565b86704f0921b2ea4b160e0bea51f82d8654b488e5832a3fc2939a6dab09e347509ffb6ee3cde666712eb8a6e32b

Download Submit
memory/564-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/564-56-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/564-64-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/564-53-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/564-63-0x0000000074250000-0x000000007493E000-memory.dmp

Filesize
6.9MB

Download
memory/564-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/564-57-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1404-7-0x0000000000D60000-0x0000000000DCA000-memory.dmp

Filesize
424KB

Download
memory/1404-3-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/1404-1-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-6-0x0000000005E00000-0x0000000005EB8000-memory.dmp

Filesize
736KB

Download
memory/1404-5-0x0000000000C60000-0x0000000000CA0000-memory.dmp

Filesize
256KB

Download
memory/1404-0-0x0000000000E10000-0x0000000000EF6000-memory.dmp

Filesize
920KB

Download
memory/1404-4-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-21-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-2-0x0000000000C60000-0x0000000000CA0000-memory.dmp

Filesize
256KB

Download
memory/1824-35-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1824-36-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/1824-37-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1824-38-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/1824-34-0x00000000008C0000-0x00000000009A6000-memory.dmp

Filesize
920KB

Download
memory/1824-52-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-26-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2744-30-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2744-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2744-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2744-15-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2744-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-19-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2744-22-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2744-25-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2744-24-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads