toxiceye | 5d3a08dced9382d003191a7cc8fab4b2e116c8673301de05e75f1891d7740d33

General

Target

a.exe
Size

143KB
MD5

9f7e5fec8caa330b7ae21818ca6bd057
SHA1

04c7bc6909a8cac7712010728c1d58ea348e7400
SHA256

5d3a08dced9382d003191a7cc8fab4b2e116c8673301de05e75f1891d7740d33
SHA512

8756772ed9ca40cf1bd879faf2a6b34861ba3abe46199b90e3db66ddb1b87837494720892a73f7b3c22ed0f234f1a5d91282de48c431709775597dc4cd066e8f
SSDEEP

3072:/hcmsSrI7vLHvWk4EqvE2Rf2p65dd54f/iaK9NIbve0ZQWf5CrAZuCPg:/v4v8Ef/iay+bWa

Score

10^/10

toxiceye rat spyware stealer trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2868-1-0x000001EF2FA20000-0x000001EF2FA4A000-memory.dmp	disable_win_def
C:\Users\CyberEye\rat.exe	disable_win_def

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rat.exea.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

416 rat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

21 raw.githubusercontent.com
22 raw.githubusercontent.com
23 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

872 schtasks.exe
716 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4508 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3928 tasklist.exe

flow	ioc
21	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com

pid	process
872	schtasks.exe
716	schtasks.exe

pid	process
4508	timeout.exe

pid	process
3928	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rat.exe

pid	process
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe
416	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	2868	a.exe
Token: SeDebugPrivilege	3928	tasklist.exe
Token: SeDebugPrivilege	416	rat.exe
Token: SeDebugPrivilege	416	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

416 rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

a.execmd.exerat.exe

description	pid	process	target process
PID 2868 wrote to memory of 872	2868	a.exe	schtasks.exe
PID 2868 wrote to memory of 872	2868	a.exe	schtasks.exe
PID 2868 wrote to memory of 4644	2868	a.exe	cmd.exe
PID 2868 wrote to memory of 4644	2868	a.exe	cmd.exe
PID 4644 wrote to memory of 3928	4644	cmd.exe	tasklist.exe
PID 4644 wrote to memory of 3928	4644	cmd.exe	tasklist.exe
PID 4644 wrote to memory of 4684	4644	cmd.exe	find.exe
PID 4644 wrote to memory of 4684	4644	cmd.exe	find.exe
PID 4644 wrote to memory of 4508	4644	cmd.exe	timeout.exe
PID 4644 wrote to memory of 4508	4644	cmd.exe	timeout.exe
PID 4644 wrote to memory of 416	4644	cmd.exe	rat.exe
PID 4644 wrote to memory of 416	4644	cmd.exe	rat.exe
PID 416 wrote to memory of 716	416	rat.exe	schtasks.exe
PID 416 wrote to memory of 716	416	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD3AB.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD3AB.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2868"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4684
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4508
- - C:\Users\CyberEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:416
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD3AB.tmp.bat

Filesize
178B

MD5
898a3bc38d57d4f157ba9b5fda068598

SHA1
de033c39807770fc68e43a752b3a3a349e6e3341

SHA256
b577031857cd16a9e4dc78d05c885851931c5230ee3ab38a426f160a8f429eab

SHA512
6084df6e772fb3ee88069ddb91a1da00ceef4783702e01c080bff011077665346c87e7f04eaf4d3d2f483583393dd8a1d230b8a9e436de9327fd10883a6af256

Download Submit
C:\Users\CyberEye\rat.exe

Filesize
143KB

MD5
9f7e5fec8caa330b7ae21818ca6bd057

SHA1
04c7bc6909a8cac7712010728c1d58ea348e7400

SHA256
5d3a08dced9382d003191a7cc8fab4b2e116c8673301de05e75f1891d7740d33

SHA512
8756772ed9ca40cf1bd879faf2a6b34861ba3abe46199b90e3db66ddb1b87837494720892a73f7b3c22ed0f234f1a5d91282de48c431709775597dc4cd066e8f

Download Submit
memory/416-14-0x0000019EE7C40000-0x0000019EE7C4A000-memory.dmp

Filesize
40KB

Download
memory/416-11-0x00007FF983D00000-0x00007FF9847C1000-memory.dmp

Filesize
10.8MB

Download
memory/416-12-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

Filesize
64KB

Download
memory/416-13-0x0000019EE7F50000-0x0000019EE7F62000-memory.dmp

Filesize
72KB

Download
memory/416-17-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

Filesize
64KB

Download
memory/416-28-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

Filesize
64KB

Download
memory/416-44-0x00007FF983D00000-0x00007FF9847C1000-memory.dmp

Filesize
10.8MB

Download
memory/416-45-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

Filesize
64KB

Download
memory/416-46-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

Filesize
64KB

Download
memory/2868-6-0x00007FF9840E0000-0x00007FF984BA1000-memory.dmp

Filesize
10.8MB

Download
memory/2868-2-0x000001EF4A060000-0x000001EF4A070000-memory.dmp

Filesize
64KB

Download
memory/2868-1-0x000001EF2FA20000-0x000001EF2FA4A000-memory.dmp

Filesize
168KB

Download
memory/2868-0-0x00007FF9840E0000-0x00007FF984BA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads