toxiceye | d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100

General

Target

TelegramRAT.exe
Size

143KB
MD5

d469138477c7462efab75afd4bd13db7
SHA1

daa970c886981f8ae8264fda8fc104dbffac6c66
SHA256

d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100
SHA512

8188e0988a95c4cc1bef475c841c781aa4c3a603cfc15184bd3f4e6103d9631effc722c2f67aee268650254490e89a57a75493f9fccec28b9058108579aea0a8
SSDEEP

3072:GhcmsSrI7vLHvWk4EqvE2Rf2p65dd54f/iaK9N4bve0ZQWf5CrAZuCrM:Gv4v8Ef/iayubWa

Score

10^/10

toxiceye rat spyware stealer trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2408-0-0x0000023591250000-0x000002359127A000-memory.dmp	disable_win_def
C:\Users\CyberEye\rat.exe	disable_win_def

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TelegramRAT.exerat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

1416 rat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

31 raw.githubusercontent.com
32 raw.githubusercontent.com
33 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4116 schtasks.exe
3472 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4388 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5080 tasklist.exe

flow	ioc
31	raw.githubusercontent.com
32	raw.githubusercontent.com
33	raw.githubusercontent.com

pid	process
4116	schtasks.exe
3472	schtasks.exe

pid	process
4388	timeout.exe

pid	process
5080	tasklist.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

rat.exe

pid	process
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe
1416	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	2408	TelegramRAT.exe
Token: SeDebugPrivilege	5080	tasklist.exe
Token: SeDebugPrivilege	1416	rat.exe
Token: SeDebugPrivilege	1416	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

1416 rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

TelegramRAT.execmd.exerat.exe

description	pid	process	target process
PID 2408 wrote to memory of 4116	2408	TelegramRAT.exe	schtasks.exe
PID 2408 wrote to memory of 4116	2408	TelegramRAT.exe	schtasks.exe
PID 2408 wrote to memory of 4952	2408	TelegramRAT.exe	cmd.exe
PID 2408 wrote to memory of 4952	2408	TelegramRAT.exe	cmd.exe
PID 4952 wrote to memory of 5080	4952	cmd.exe	tasklist.exe
PID 4952 wrote to memory of 5080	4952	cmd.exe	tasklist.exe
PID 4952 wrote to memory of 1008	4952	cmd.exe	find.exe
PID 4952 wrote to memory of 1008	4952	cmd.exe	find.exe
PID 4952 wrote to memory of 4388	4952	cmd.exe	timeout.exe
PID 4952 wrote to memory of 4388	4952	cmd.exe	timeout.exe
PID 4952 wrote to memory of 1416	4952	cmd.exe	rat.exe
PID 4952 wrote to memory of 1416	4952	cmd.exe	rat.exe
PID 1416 wrote to memory of 3472	1416	rat.exe	schtasks.exe
PID 1416 wrote to memory of 3472	1416	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2408"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1008
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4388
- - C:\Users\CyberEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1416
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp.bat

Filesize
188B

MD5
0294ef40516dbd68cd2d24997312dc49

SHA1
bf196902555c00be63d0ce19155f377068728d40

SHA256
56e275c5f8cb963c58f686e4c361a05afbabc2548a3d1c7bc30388894ffac846

SHA512
24a7053fa9700cb29fab9884d585b224c3584962a87ec5b46812ae58e3e240275934a4aae149795abe5bfabca77880683346e3662447cb2a46ce1a06cbe9f7c9

Download Submit
C:\Users\CyberEye\rat.exe

Filesize
143KB

MD5
d469138477c7462efab75afd4bd13db7

SHA1
daa970c886981f8ae8264fda8fc104dbffac6c66

SHA256
d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100

SHA512
8188e0988a95c4cc1bef475c841c781aa4c3a603cfc15184bd3f4e6103d9631effc722c2f67aee268650254490e89a57a75493f9fccec28b9058108579aea0a8

Download Submit
memory/1416-11-0x00007FFDE71D0000-0x00007FFDE7C91000-memory.dmp

Filesize
10.8MB

Download
memory/1416-12-0x00000237597F0000-0x0000023759800000-memory.dmp

Filesize
64KB

Download
memory/1416-14-0x0000023759970000-0x000002375997A000-memory.dmp

Filesize
40KB

Download
memory/1416-16-0x00000237599A0000-0x00000237599B2000-memory.dmp

Filesize
72KB

Download
memory/1416-42-0x00007FFDE71D0000-0x00007FFDE7C91000-memory.dmp

Filesize
10.8MB

Download
memory/1416-43-0x00000237597F0000-0x0000023759800000-memory.dmp

Filesize
64KB

Download
memory/2408-0-0x0000023591250000-0x000002359127A000-memory.dmp

Filesize
168KB

Download
memory/2408-1-0x00007FFDE7830000-0x00007FFDE82F1000-memory.dmp

Filesize
10.8MB

Download
memory/2408-2-0x00000235AB860000-0x00000235AB870000-memory.dmp

Filesize
64KB

Download
memory/2408-6-0x00007FFDE7830000-0x00007FFDE82F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads