Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\system32\tasklist.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\CyberEye\rat.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\CyberEye\rat.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2072 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\schtasks.exe
PID 2072 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\schtasks.exe
PID 2072 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\schtasks.exe
PID 2072 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\cmd.exe
PID 2072 wrote to memory of 2572	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\cmd.exe
PID 2572 wrote to memory of 2708	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 2572 wrote to memory of 2708	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 2572 wrote to memory of 2708	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 2572 wrote to memory of 1712	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 2572 wrote to memory of 1712	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 2572 wrote to memory of 1712	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 2572 wrote to memory of 2412	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2572 wrote to memory of 2412	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2572 wrote to memory of 2412	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2572 wrote to memory of 2596	N/A	C:\Windows\System32\cmd.exe	C:\Users\CyberEye\rat.exe
PID 2572 wrote to memory of 2596	N/A	C:\Windows\System32\cmd.exe	C:\Users\CyberEye\rat.exe
PID 2572 wrote to memory of 2596	N/A	C:\Windows\System32\cmd.exe	C:\Users\CyberEye\rat.exe
PID 2596 wrote to memory of 588	N/A	C:\Users\CyberEye\rat.exe	C:\Windows\System32\schtasks.exe
PID 2596 wrote to memory of 588	N/A	C:\Users\CyberEye\rat.exe	C:\Windows\System32\schtasks.exe
PID 2596 wrote to memory of 588	N/A	C:\Users\CyberEye\rat.exe	C:\Windows\System32\schtasks.exe
PID 2596 wrote to memory of 2712	N/A	C:\Users\CyberEye\rat.exe	C:\Windows\system32\WerFault.exe
PID 2596 wrote to memory of 2712	N/A	C:\Users\CyberEye\rat.exe	C:\Windows\system32\WerFault.exe
PID 2596 wrote to memory of 2712	N/A	C:\Users\CyberEye\rat.exe	C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp62A9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp62A9.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2072"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\CyberEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2596 -s 1568

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	google.com	udp
US	8.8.8.8:53	api.telegram.org	udp
NL	149.154.167.220:443	api.telegram.org	tcp
NL	149.154.167.220:443	api.telegram.org	tcp

Files

memory/2072-0-0x0000000001320000-0x000000000134A000-memory.dmp

memory/2072-1-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

memory/2072-2-0x000000001B210000-0x000000001B290000-memory.dmp

memory/2072-5-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp62A9.tmp.bat

MD5	1bb169696522d59670c0f0bdb1626a95
SHA1	6d4a10191013e7fd2af84cbd45d158cd816a6ecf
SHA256	8694899f05cffafb8386fa83cd09e7c216b8df7c64e7bbe32df7b494f67128fb
SHA512	59b88424144f56fb2b0ab2af14d2962564b86d484c32946ab07c62b57d145411ee4510e434b48b9ae565ca45a39b7d80737798748359b4da977b085aa02f8a62

C:\Users\CyberEye\rat.exe

MD5	9f7e5fec8caa330b7ae21818ca6bd057
SHA1	04c7bc6909a8cac7712010728c1d58ea348e7400
SHA256	5d3a08dced9382d003191a7cc8fab4b2e116c8673301de05e75f1891d7740d33
SHA512	8756772ed9ca40cf1bd879faf2a6b34861ba3abe46199b90e3db66ddb1b87837494720892a73f7b3c22ed0f234f1a5d91282de48c431709775597dc4cd066e8f

memory/2596-10-0x0000000000DE0000-0x0000000000E0A000-memory.dmp

memory/2596-11-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

memory/2596-12-0x000000001AFE0000-0x000000001B060000-memory.dmp

memory/2596-13-0x000007FEF4F00000-0x000007FEF58EC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 01:48

Reported

2024-03-02 01:51

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a.exe"

Signatures

Contains code to disable Windows Defender

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

ToxicEye

rat trojan toxiceye

Downloads MZ/PE file

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	C:\Users\CyberEye\rat.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\a.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	raw.githubusercontent.com	N/A	N/A
N/A	raw.githubusercontent.com	N/A	N/A
N/A	raw.githubusercontent.com	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\schtasks.exe	N/A
N/A	N/A	C:\Windows\System32\schtasks.exe	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\timeout.exe	N/A

Enumerates processes with tasklist

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\tasklist.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\system32\tasklist.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\CyberEye\rat.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\CyberEye\rat.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\CyberEye\rat.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2868 wrote to memory of 872	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 872	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Local\Temp\a.exe	C:\Windows\System32\cmd.exe
PID 4644 wrote to memory of 3928	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 4644 wrote to memory of 3928	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 4644 wrote to memory of 4684	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 4644 wrote to memory of 4684	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 4644 wrote to memory of 4508	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 4644 wrote to memory of 4508	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 4644 wrote to memory of 416	N/A	C:\Windows\System32\cmd.exe	C:\Users\CyberEye\rat.exe
PID 4644 wrote to memory of 416	N/A	C:\Windows\System32\cmd.exe	C:\Users\CyberEye\rat.exe
PID 416 wrote to memory of 716	N/A	C:\Users\CyberEye\rat.exe	C:\Windows\System32\schtasks.exe
PID 416 wrote to memory of 716	N/A	C:\Users\CyberEye\rat.exe	C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a.exe

"C:\Users\Admin\AppData\Local\Temp\a.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD3AB.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD3AB.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2868"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\CyberEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	22.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.200:443	g.bing.com	tcp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	194.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	200.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	google.com	udp
US	8.8.8.8:53	api.telegram.org	udp
NL	149.154.167.220:443	api.telegram.org	tcp
NL	149.154.167.220:443	api.telegram.org	tcp
US	8.8.8.8:53	raw.githubusercontent.com	udp
US	185.199.108.133:443	raw.githubusercontent.com	tcp
US	185.199.108.133:443	raw.githubusercontent.com	tcp
NL	149.154.167.220:443	api.telegram.org	tcp
NL	149.154.167.220:443	api.telegram.org	tcp
NL	149.154.167.220:443	api.telegram.org	tcp
NL	149.154.167.220:443	api.telegram.org	tcp
NL	149.154.167.220:443	api.telegram.org	tcp
NL	149.154.167.220:443	api.telegram.org	tcp
US	8.8.8.8:53	220.167.154.149.in-addr.arpa	udp
US	8.8.8.8:53	133.108.199.185.in-addr.arpa	udp
US	8.8.8.8:53	chromewebstore.googleapis.com	udp
US	8.8.8.8:53	chromewebstore.googleapis.com	udp
IE	74.125.193.95:443	chromewebstore.googleapis.com	tcp
US	8.8.8.8:53	95.193.125.74.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	18.134.221.88.in-addr.arpa	udp
US	8.8.8.8:53	48.229.111.52.in-addr.arpa	udp

Files

memory/2868-0-0x00007FF9840E0000-0x00007FF984BA1000-memory.dmp

memory/2868-1-0x000001EF2FA20000-0x000001EF2FA4A000-memory.dmp

memory/2868-2-0x000001EF4A060000-0x000001EF4A070000-memory.dmp

memory/2868-6-0x00007FF9840E0000-0x00007FF984BA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD3AB.tmp.bat

MD5	898a3bc38d57d4f157ba9b5fda068598
SHA1	de033c39807770fc68e43a752b3a3a349e6e3341
SHA256	b577031857cd16a9e4dc78d05c885851931c5230ee3ab38a426f160a8f429eab
SHA512	6084df6e772fb3ee88069ddb91a1da00ceef4783702e01c080bff011077665346c87e7f04eaf4d3d2f483583393dd8a1d230b8a9e436de9327fd10883a6af256

C:\Users\CyberEye\rat.exe

MD5	9f7e5fec8caa330b7ae21818ca6bd057
SHA1	04c7bc6909a8cac7712010728c1d58ea348e7400
SHA256	5d3a08dced9382d003191a7cc8fab4b2e116c8673301de05e75f1891d7740d33
SHA512	8756772ed9ca40cf1bd879faf2a6b34861ba3abe46199b90e3db66ddb1b87837494720892a73f7b3c22ed0f234f1a5d91282de48c431709775597dc4cd066e8f

memory/416-11-0x00007FF983D00000-0x00007FF9847C1000-memory.dmp

memory/416-12-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

memory/416-13-0x0000019EE7F50000-0x0000019EE7F62000-memory.dmp

memory/416-14-0x0000019EE7C40000-0x0000019EE7C4A000-memory.dmp

memory/416-17-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

memory/416-28-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

memory/416-44-0x00007FF983D00000-0x00007FF9847C1000-memory.dmp

memory/416-45-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

memory/416-46-0x0000019EE7850000-0x0000019EE7860000-memory.dmp

Sample ID	240302-b8ehbsge9x
Target	a.exe
SHA256	5d3a08dced9382d003191a7cc8fab4b2e116c8673301de05e75f1891d7740d33
Tags	toxiceye rat trojan spyware stealer

Malware Analysis Report

2024-08-06 11:57

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files