toxiceye | d45b164e99aed8684a4d79685278fa764be83092f1f64d1b299eb93229831cf1

General

Target

TelegramRAT.exe
Size

141KB
MD5

3748d676147a437e12c83372fb084b17
SHA1

d6d7fae8acf766850ebe20d4e32882b26eb7d71b
SHA256

d45b164e99aed8684a4d79685278fa764be83092f1f64d1b299eb93229831cf1
SHA512

d09daf64c757ec7138ebc512493fba48b357a98ddf16c4c9eebd4af82a6185894032f4e936d33e323066a715d29c13552e6533f5dc16eaf7fbf86f2fe0204423
SSDEEP

3072:LkSfx+nPu2KiQQ7+ofe7Uoxo1bKm1/QW4aCrAZr9IhsG:Qax+nmSn7B1bZ3i

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TelegramRAT.exerat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

3304 rat.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

38 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4028 schtasks.exe
1924 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1196 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1876 tasklist.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4904 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rat.exe

pid process

3304 rat.exe
3304 rat.exe
3304 rat.exe

pid	process
3304	rat.exe

flow	ioc
38	raw.githubusercontent.com

pid	process
4028	schtasks.exe
1924	schtasks.exe

pid	process
1196	timeout.exe

pid	process
1876	tasklist.exe

pid	process
4904	NOTEPAD.EXE

pid	process
3304	rat.exe
3304	rat.exe
3304	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	1144	TelegramRAT.exe
Token: SeDebugPrivilege	1876	tasklist.exe
Token: SeDebugPrivilege	3304	rat.exe
Token: SeDebugPrivilege	3304	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

3304 rat.exe

pid	process
3304	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

TelegramRAT.execmd.exerat.exe

description	pid	process	target process
PID 1144 wrote to memory of 4028	1144	TelegramRAT.exe	schtasks.exe
PID 1144 wrote to memory of 4028	1144	TelegramRAT.exe	schtasks.exe
PID 1144 wrote to memory of 1580	1144	TelegramRAT.exe	cmd.exe
PID 1144 wrote to memory of 1580	1144	TelegramRAT.exe	cmd.exe
PID 1580 wrote to memory of 1876	1580	cmd.exe	tasklist.exe
PID 1580 wrote to memory of 1876	1580	cmd.exe	tasklist.exe
PID 1580 wrote to memory of 1612	1580	cmd.exe	find.exe
PID 1580 wrote to memory of 1612	1580	cmd.exe	find.exe
PID 1580 wrote to memory of 1196	1580	cmd.exe	timeout.exe
PID 1580 wrote to memory of 1196	1580	cmd.exe	timeout.exe
PID 1580 wrote to memory of 3304	1580	cmd.exe	rat.exe
PID 1580 wrote to memory of 3304	1580	cmd.exe	rat.exe
PID 3304 wrote to memory of 1924	3304	rat.exe	schtasks.exe
PID 3304 wrote to memory of 1924	3304	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3C7C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp3C7C.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1144"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1612
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1196
- - C:\a\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:1924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4072

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\a\bookmarks.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3C7C.tmp.bat

Filesize
175B

MD5
fff8b77e88f59f6f4c92cebd4f9f3443

SHA1
2c0219551237ed8ac1169160e9dc2fb6f7821390

SHA256
bf7a03a2547ed63a815b32bccc575d4440e28f39af7b9fbe1ac13e8aab33da02

SHA512
45bfc4891cb0a9e1dc751dd1bbbfb2e392b69a114c1dcc1d19e4666d305d5e29c9300bcf01ff4fa87c7c6d0978b560b7b8b412823c7469cb22793e04bd0d4b4b

Download Submit
C:\a\bookmarks.txt

Filesize
13B

MD5
61f8a15f0bf3ef90a36796b6cbb7b105

SHA1
9a0893ee4bfb0e58c64902fc4da215dcbec12e3f

SHA256
678150f8aa675320e486b135418a7ed5b546514a5aa808588eccc12fe8cd2130

SHA512
5afb5a40e95b289db50db7aa151a5a526ef04824533fccd0ad3d6ea813cc5621b8009521d7f5db69fbcb1a46640e963427fd6b42721df26f1fbfc89f59a8abab

Download Submit
C:\a\rat.exe

Filesize
141KB

MD5
3748d676147a437e12c83372fb084b17

SHA1
d6d7fae8acf766850ebe20d4e32882b26eb7d71b

SHA256
d45b164e99aed8684a4d79685278fa764be83092f1f64d1b299eb93229831cf1

SHA512
d09daf64c757ec7138ebc512493fba48b357a98ddf16c4c9eebd4af82a6185894032f4e936d33e323066a715d29c13552e6533f5dc16eaf7fbf86f2fe0204423

Download Submit
memory/1144-0-0x000001FBD8700000-0x000001FBD872A000-memory.dmp

Filesize
168KB

Download
memory/1144-1-0x00007FFA75000000-0x00007FFA75AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1144-2-0x000001FBF2DF0000-0x000001FBF2E00000-memory.dmp

Filesize
64KB

Download
memory/1144-6-0x00007FFA75000000-0x00007FFA75AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3304-11-0x00007FFA75000000-0x00007FFA75AC1000-memory.dmp

Filesize
10.8MB

Download
memory/3304-12-0x000001D4350F0000-0x000001D435100000-memory.dmp

Filesize
64KB

Download
memory/3304-14-0x000001D435640000-0x000001D43564A000-memory.dmp

Filesize
40KB

Download
memory/3304-16-0x00007FFA75000000-0x00007FFA75AC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads