toxiceye | 4945a6badc2b589030801440381322724ad39a595018fb48292160d44ce5f575

General

Target

TelegramRAT.exe
Size

217KB
MD5

2360a3ca7c7f56a98889f16806232d5c
SHA1

996836af3b7ad850bb3977d956d0f6b4f22f95fe
SHA256

4945a6badc2b589030801440381322724ad39a595018fb48292160d44ce5f575
SHA512

3b579dad203a49b39ac03c4bc06bd6d997aac379dd1e4254431354cab202bf739891fbe683e0c6ad95a795cfc32518a49b1f5bd89c152495eb5cdb6baf910071
SSDEEP

3072:nyWNMOa+IuWSgKyuwa+IuWEjZkYq6GY2cy962KTKvgXX9vH42V0Oj1ZNxCii/8Sx:9hKTfg2mOpxpRaxHUSlQ0L4bEu

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot6480398830:AAFQyqU2jJkoow45xDM_BRll8AzNh3bMWuM/sendMessage?chat_id=5234218001

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TelegramRAT.exerat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

4624 rat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4064 schtasks.exe
1164 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1956 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4636 tasklist.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid process

4624 rat.exe

pid	process
4064	schtasks.exe
1164	schtasks.exe

pid	process
1956	timeout.exe

pid	process
4636	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rat.exe

pid	process
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe
4624	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	4508	TelegramRAT.exe
Token: SeDebugPrivilege	4636	tasklist.exe
Token: SeDebugPrivilege	4624	rat.exe
Token: SeDebugPrivilege	4624	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

4624 rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

TelegramRAT.execmd.exerat.exe

description	pid	process	target process
PID 4508 wrote to memory of 4064	4508	TelegramRAT.exe	schtasks.exe
PID 4508 wrote to memory of 4064	4508	TelegramRAT.exe	schtasks.exe
PID 4508 wrote to memory of 1392	4508	TelegramRAT.exe	cmd.exe
PID 4508 wrote to memory of 1392	4508	TelegramRAT.exe	cmd.exe
PID 1392 wrote to memory of 4636	1392	cmd.exe	tasklist.exe
PID 1392 wrote to memory of 4636	1392	cmd.exe	tasklist.exe
PID 1392 wrote to memory of 3028	1392	cmd.exe	find.exe
PID 1392 wrote to memory of 3028	1392	cmd.exe	find.exe
PID 1392 wrote to memory of 1956	1392	cmd.exe	timeout.exe
PID 1392 wrote to memory of 1956	1392	cmd.exe	timeout.exe
PID 1392 wrote to memory of 4624	1392	cmd.exe	rat.exe
PID 1392 wrote to memory of 4624	1392	cmd.exe	rat.exe
PID 4624 wrote to memory of 1164	4624	rat.exe	schtasks.exe
PID 4624 wrote to memory of 1164	4624	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp52A4.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp52A4.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4508"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3028
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1956
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp52A4.tmp.bat

Filesize
188B

MD5
0e9c2ffa5697fba0e4c14b25e0ae423f

SHA1
63b0c75342bd03b1a528f19e87f90d78f7497be6

SHA256
d0a366173e6c03ec1dd2713e70eba20c657d4ef7655e1f42853d9033cde31abc

SHA512
d05357851c29b2522a151425ea9e81a3807efd4938d3dce31450067ad290803dbdd2273e9aad18bcdf11b4e5fc6e7881acc8bad5eb8dad730271afd20d8bf397

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
217KB

MD5
2360a3ca7c7f56a98889f16806232d5c

SHA1
996836af3b7ad850bb3977d956d0f6b4f22f95fe

SHA256
4945a6badc2b589030801440381322724ad39a595018fb48292160d44ce5f575

SHA512
3b579dad203a49b39ac03c4bc06bd6d997aac379dd1e4254431354cab202bf739891fbe683e0c6ad95a795cfc32518a49b1f5bd89c152495eb5cdb6baf910071

Download Submit
memory/4508-0-0x000002328C140000-0x000002328C17C000-memory.dmp

Filesize
240KB

Download
memory/4508-1-0x00007FF9EF560000-0x00007FF9F0021000-memory.dmp

Filesize
10.8MB

Download
memory/4508-2-0x000002328C5E0000-0x000002328C5F0000-memory.dmp

Filesize
64KB

Download
memory/4508-6-0x00007FF9EF560000-0x00007FF9F0021000-memory.dmp

Filesize
10.8MB

Download
memory/4624-11-0x00007FF9EF560000-0x00007FF9F0021000-memory.dmp

Filesize
10.8MB

Download
memory/4624-12-0x000002B645D70000-0x000002B645D80000-memory.dmp

Filesize
64KB

Download
memory/4624-13-0x000002B660610000-0x000002B6606BA000-memory.dmp

Filesize
680KB

Download
memory/4624-14-0x000002B6606C0000-0x000002B660736000-memory.dmp

Filesize
472KB

Download
memory/4624-15-0x00007FF9EF560000-0x00007FF9F0021000-memory.dmp

Filesize
10.8MB

Download
memory/4624-16-0x000002B645D70000-0x000002B645D80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads