toxiceye | 05784dc21b94b6c838f1d979fcf7107fc7c1be31c026eccc9259c7878a52ba92

General

Target

TelegramRAT.exe
Size

141KB
MD5

3f348796bd487827ac9e566dc082d5ce
SHA1

54fd77ca70dfcb9dfa092ff5f5cc911eca27e39d
SHA256

05784dc21b94b6c838f1d979fcf7107fc7c1be31c026eccc9259c7878a52ba92
SHA512

bc5292d8a45e10fd59d4661bdb189f595407b5c3f5fbe2f6a3153e129d75a1d8e868ada144504640c2e1504cba8c717a365fab145ad04b7c179f2829f17309c8
SSDEEP

3072:Txx7ZFDCfyVRHpy756OtAVIqOYiibKmCPQW4eCrAZrRen1:FZZFDCfyVRJchDebZos

Score

10^/10

toxiceye rat spyware stealer trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TelegramRAT.exerat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

3200 rat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

30 raw.githubusercontent.com
31 raw.githubusercontent.com
32 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4288 schtasks.exe
3808 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3372 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2384 tasklist.exe

flow	ioc
30	raw.githubusercontent.com
31	raw.githubusercontent.com
32	raw.githubusercontent.com

pid	process
4288	schtasks.exe
3808	schtasks.exe

pid	process
3372	timeout.exe

pid	process
2384	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rat.exe

pid	process
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe
3200	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	3256	TelegramRAT.exe
Token: SeDebugPrivilege	2384	tasklist.exe
Token: SeDebugPrivilege	3200	rat.exe
Token: SeDebugPrivilege	3200	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

3200 rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

TelegramRAT.execmd.exerat.exe

description	pid	process	target process
PID 3256 wrote to memory of 4288	3256	TelegramRAT.exe	schtasks.exe
PID 3256 wrote to memory of 4288	3256	TelegramRAT.exe	schtasks.exe
PID 3256 wrote to memory of 4572	3256	TelegramRAT.exe	cmd.exe
PID 3256 wrote to memory of 4572	3256	TelegramRAT.exe	cmd.exe
PID 4572 wrote to memory of 2384	4572	cmd.exe	tasklist.exe
PID 4572 wrote to memory of 2384	4572	cmd.exe	tasklist.exe
PID 4572 wrote to memory of 2940	4572	cmd.exe	find.exe
PID 4572 wrote to memory of 2940	4572	cmd.exe	find.exe
PID 4572 wrote to memory of 3372	4572	cmd.exe	timeout.exe
PID 4572 wrote to memory of 3372	4572	cmd.exe	timeout.exe
PID 4572 wrote to memory of 3200	4572	cmd.exe	rat.exe
PID 4572 wrote to memory of 3200	4572	cmd.exe	rat.exe
PID 3200 wrote to memory of 3808	3200	rat.exe	schtasks.exe
PID 3200 wrote to memory of 3808	3200	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3256"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2940
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3372
- - C:\a\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat

Filesize
175B

MD5
7bfdeb82c6f073b9bd0244d8cd241f08

SHA1
c3e5929b300058a63aa5660ffb38d5d12f9661a5

SHA256
df9324f1bf380dd714e390aea9fb9fc83f3100f0583bf10d9f0747063a82e198

SHA512
c1f6025f97d5d66dabdbf9bd457f22afd37934d72ae8a6aedbd86d44481224dec4721ceb8999e6178d8ae6b6c12eff08c19c41800e08718161598e1e4d3b654f

Download Submit
C:\a\rat.exe

Filesize
140KB

MD5
920d6ea63b03c8ca7c2fd8e456973f62

SHA1
16c977a44af4449be701b50414276ff80f60b373

SHA256
532b69ac7d72f436069bc93748de4838e2888e0bf88252428b656c5f0fb3b535

SHA512
e54ba38a2d51de259a0f55c3e437e775c4274d347c5a9b8fc8f4a08f019dfcca5e3122c3cfcedde7b9931c7db7ae20eaf5418a2b7919f40f794309c40355804c

Download Submit
C:\a\rat.exe

Filesize
141KB

MD5
3f348796bd487827ac9e566dc082d5ce

SHA1
54fd77ca70dfcb9dfa092ff5f5cc911eca27e39d

SHA256
05784dc21b94b6c838f1d979fcf7107fc7c1be31c026eccc9259c7878a52ba92

SHA512
bc5292d8a45e10fd59d4661bdb189f595407b5c3f5fbe2f6a3153e129d75a1d8e868ada144504640c2e1504cba8c717a365fab145ad04b7c179f2829f17309c8

Download Submit
memory/3200-22-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

Filesize
64KB

Download
memory/3200-17-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

Filesize
64KB

Download
memory/3200-47-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

Filesize
64KB

Download
memory/3200-46-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

Filesize
64KB

Download
memory/3200-11-0x00007FFDE7270000-0x00007FFDE7D31000-memory.dmp

Filesize
10.8MB

Download
memory/3200-12-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

Filesize
64KB

Download
memory/3200-14-0x00000277CED80000-0x00000277CED8A000-memory.dmp

Filesize
40KB

Download
memory/3200-45-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

Filesize
64KB

Download
memory/3200-16-0x00000277CEEF0000-0x00000277CEF02000-memory.dmp

Filesize
72KB

Download
memory/3200-44-0x00007FFDE7270000-0x00007FFDE7D31000-memory.dmp

Filesize
10.8MB

Download
memory/3256-0-0x0000026120760000-0x000002612078A000-memory.dmp

Filesize
168KB

Download
memory/3256-7-0x00007FFDE7270000-0x00007FFDE7D31000-memory.dmp

Filesize
10.8MB

Download
memory/3256-1-0x00007FFDE7270000-0x00007FFDE7D31000-memory.dmp

Filesize
10.8MB

Download
memory/3256-2-0x000002613AD30000-0x000002613AD40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads