toxiceye | 587dae991f27a9e18c7bb98f6bd0785fe2894ec2464bddec729a1d243a7dda45

General

Target

a01d6062308781d37c5270fdba230231.exe
Size

111KB
MD5

a01d6062308781d37c5270fdba230231
SHA1

61083d8d892adfbb53c2684e2ae14236e9f0c78e
SHA256

587dae991f27a9e18c7bb98f6bd0785fe2894ec2464bddec729a1d243a7dda45
SHA512

cf544c32e92c49a8a51c38ae7c7431951421b48f091de1e7bd35bdd5624b1370faf8245d06c769fa9af38b803c9cceb65628276dffcd8371b0857b320e62c367
SSDEEP

3072:mb8YUuQaS+T8sNoVWloStVjNhOYJbxqHdQWbzCrAZuxsy:hYUuQaS+T8sNoVWlLHN9bgt

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot1857786160:AAGDD7DgtbFIfWo0zZZYzaCSIulgMOW4U5E/sendMessage?chat_id=1835799378

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a01d6062308781d37c5270fdba230231.exesvchost64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	a01d6062308781d37c5270fdba230231.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	svchost64.exe

Executes dropped EXE 1 IoCs

Processes:

svchost64.exe

pid process

2700 svchost64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4084 schtasks.exe
4624 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1384 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3960 tasklist.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost64.exe

pid process

2700 svchost64.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchost64.exe

pid process

2700 svchost64.exe

pid	process
2700	svchost64.exe

pid	process
4084	schtasks.exe
4624	schtasks.exe

pid	process
1384	timeout.exe

pid	process
3960	tasklist.exe

pid	process
2700	svchost64.exe

pid	process
2700	svchost64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a01d6062308781d37c5270fdba230231.exetasklist.exesvchost64.exe

description	pid	process
Token: SeDebugPrivilege	5040	a01d6062308781d37c5270fdba230231.exe
Token: SeDebugPrivilege	3960	tasklist.exe
Token: SeDebugPrivilege	2700	svchost64.exe
Token: SeDebugPrivilege	2700	svchost64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost64.exe

pid process

2700 svchost64.exe

pid	process
2700	svchost64.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a01d6062308781d37c5270fdba230231.execmd.exesvchost64.exe

description	pid	process	target process
PID 5040 wrote to memory of 4084	5040	a01d6062308781d37c5270fdba230231.exe	schtasks.exe
PID 5040 wrote to memory of 4084	5040	a01d6062308781d37c5270fdba230231.exe	schtasks.exe
PID 5040 wrote to memory of 1424	5040	a01d6062308781d37c5270fdba230231.exe	cmd.exe
PID 5040 wrote to memory of 1424	5040	a01d6062308781d37c5270fdba230231.exe	cmd.exe
PID 1424 wrote to memory of 3960	1424	cmd.exe	tasklist.exe
PID 1424 wrote to memory of 3960	1424	cmd.exe	tasklist.exe
PID 1424 wrote to memory of 3352	1424	cmd.exe	find.exe
PID 1424 wrote to memory of 3352	1424	cmd.exe	find.exe
PID 1424 wrote to memory of 1384	1424	cmd.exe	timeout.exe
PID 1424 wrote to memory of 1384	1424	cmd.exe	timeout.exe
PID 1424 wrote to memory of 2700	1424	cmd.exe	svchost64.exe
PID 1424 wrote to memory of 2700	1424	cmd.exe	svchost64.exe
PID 2700 wrote to memory of 4624	2700	svchost64.exe	schtasks.exe
PID 2700 wrote to memory of 4624	2700	svchost64.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a01d6062308781d37c5270fdba230231.exe
"C:\Users\Admin\AppData\Local\Temp\a01d6062308781d37c5270fdba230231.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\svchost64.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9114.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9114.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 5040"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3352
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1384
- - C:\Users\svchost64.exe
    "svchost64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\svchost64.exe"
      4⤵
      Creates scheduled task(s)
      PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9114.tmp.bat

Filesize
206B

MD5
1e2e597b98c6973449a759b03014b5d5

SHA1
7235e9eb388a76422fa0c08a5587545d9563c9fe

SHA256
f9270f86607d72d4b2e1689856344522b571f675935cff47dd86d2e51ac0db8a

SHA512
17a7fbbe30d9a7f938ee4a96c35c9141da7600b43a3d191fb739496bf1c73d47272a6829c8853420f9e5f75e6cfa472ddec69fe264933222a7d774dc8362e99b

Download Submit
C:\Users\svchost64.exe

Filesize
111KB

MD5
a01d6062308781d37c5270fdba230231

SHA1
61083d8d892adfbb53c2684e2ae14236e9f0c78e

SHA256
587dae991f27a9e18c7bb98f6bd0785fe2894ec2464bddec729a1d243a7dda45

SHA512
cf544c32e92c49a8a51c38ae7c7431951421b48f091de1e7bd35bdd5624b1370faf8245d06c769fa9af38b803c9cceb65628276dffcd8371b0857b320e62c367

Download Submit
memory/2700-11-0x00007FF9616D0000-0x00007FF962191000-memory.dmp

Filesize
10.8MB

Download
memory/2700-12-0x000001D33FB90000-0x000001D33FBA0000-memory.dmp

Filesize
64KB

Download
memory/5040-0-0x000001D48BE70000-0x000001D48BE92000-memory.dmp

Filesize
136KB

Download
memory/5040-1-0x00007FF9616D0000-0x00007FF962191000-memory.dmp

Filesize
10.8MB

Download
memory/5040-2-0x000001D4A6460000-0x000001D4A6470000-memory.dmp

Filesize
64KB

Download
memory/5040-6-0x00007FF9616D0000-0x00007FF962191000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads