toxiceye | 70443d8dd1d0b52f392d95b50a3582f5a2038f66a46faeb635bd7dbe73643bcb

General

Target

TelegramRAT.exe
Size

140KB
MD5

a7f2f3eb00e6fada6eef7f6d4bad84ac
SHA1

7772bf4e931c3ea67e6d1366b10b495618dd6733
SHA256

70443d8dd1d0b52f392d95b50a3582f5a2038f66a46faeb635bd7dbe73643bcb
SHA512

d133efdaed62350a7fcd05ffd2bd1510a731c6f131a86b54f3e941ffddd450a797bfec205decd7de1b994288fd52ed6f015839b1228720edd0927a3322c7f9d4
SSDEEP

3072:9kSfx8i3yykxyofe7UoxsbKm1/QW4aCrAZ54VhgO:KaxRxkxnbZ30

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2732 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

2440 rat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2744 schtasks.exe
1944 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2420 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1584 tasklist.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rat.exe

pid process

2440 rat.exe
2440 rat.exe

pid	process
2732	cmd.exe

pid	process
2440	rat.exe

pid	process
2744	schtasks.exe
1944	schtasks.exe

pid	process
2420	timeout.exe

pid	process
1584	tasklist.exe

pid	process
2440	rat.exe
2440	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	2244	TelegramRAT.exe
Token: SeDebugPrivilege	1584	tasklist.exe
Token: SeDebugPrivilege	2440	rat.exe
Token: SeDebugPrivilege	2440	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

2440 rat.exe

pid	process
2440	rat.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

TelegramRAT.execmd.exerat.exe

description	pid	process	target process
PID 2244 wrote to memory of 2744	2244	TelegramRAT.exe	schtasks.exe
PID 2244 wrote to memory of 2744	2244	TelegramRAT.exe	schtasks.exe
PID 2244 wrote to memory of 2744	2244	TelegramRAT.exe	schtasks.exe
PID 2244 wrote to memory of 2732	2244	TelegramRAT.exe	cmd.exe
PID 2244 wrote to memory of 2732	2244	TelegramRAT.exe	cmd.exe
PID 2244 wrote to memory of 2732	2244	TelegramRAT.exe	cmd.exe
PID 2732 wrote to memory of 1584	2732	cmd.exe	tasklist.exe
PID 2732 wrote to memory of 1584	2732	cmd.exe	tasklist.exe
PID 2732 wrote to memory of 1584	2732	cmd.exe	tasklist.exe
PID 2732 wrote to memory of 2428	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 2428	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 2428	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 2420	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 2420	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 2420	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 2440	2732	cmd.exe	rat.exe
PID 2732 wrote to memory of 2440	2732	cmd.exe	rat.exe
PID 2732 wrote to memory of 2440	2732	cmd.exe	rat.exe
PID 2440 wrote to memory of 1944	2440	rat.exe	schtasks.exe
PID 2440 wrote to memory of 1944	2440	rat.exe	schtasks.exe
PID 2440 wrote to memory of 1944	2440	rat.exe	schtasks.exe
PID 2440 wrote to memory of 1104	2440	rat.exe	WerFault.exe
PID 2440 wrote to memory of 1104	2440	rat.exe	WerFault.exe
PID 2440 wrote to memory of 1104	2440	rat.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA4F6.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA4F6.tmp.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2244"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2428
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2420
- - C:\a\rat.exe
    "rat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:1944
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2440 -s 1576
      4⤵
      PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA4F6.tmp.bat

Filesize
175B

MD5
07dd398b3050143baf809739f8b3eb3a

SHA1
2fa09d041eceac5c0cd4e6905f6dad2a92b5b721

SHA256
8ec2685179d0d83f9e2f301862979d00f1d0f4dd77f3e04107dcbb2360f89e02

SHA512
d3fb159e2684a572e2edcc4c6aee7708ac46eb28b6ef41ea935781d371791950125a3e0ab76b55ab8a0339cb28ef883fa31be9ed8758ea624335c2438920a255

Download Submit
C:\a\rat.exe

Filesize
140KB

MD5
a7f2f3eb00e6fada6eef7f6d4bad84ac

SHA1
7772bf4e931c3ea67e6d1366b10b495618dd6733

SHA256
70443d8dd1d0b52f392d95b50a3582f5a2038f66a46faeb635bd7dbe73643bcb

SHA512
d133efdaed62350a7fcd05ffd2bd1510a731c6f131a86b54f3e941ffddd450a797bfec205decd7de1b994288fd52ed6f015839b1228720edd0927a3322c7f9d4

Download Submit
memory/2244-0-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/2244-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-2-0x000000001A7F0000-0x000000001A870000-memory.dmp

Filesize
512KB

Download
memory/2244-5-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-10-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/2440-11-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-12-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads