toxiceye | 70443d8dd1d0b52f392d95b50a3582f5a2038f66a46faeb635bd7dbe73643bcb

General

Target

TelegramRAT.exe
Size

140KB
MD5

a7f2f3eb00e6fada6eef7f6d4bad84ac
SHA1

7772bf4e931c3ea67e6d1366b10b495618dd6733
SHA256

70443d8dd1d0b52f392d95b50a3582f5a2038f66a46faeb635bd7dbe73643bcb
SHA512

d133efdaed62350a7fcd05ffd2bd1510a731c6f131a86b54f3e941ffddd450a797bfec205decd7de1b994288fd52ed6f015839b1228720edd0927a3322c7f9d4
SSDEEP

3072:9kSfx8i3yykxyofe7UoxsbKm1/QW4aCrAZ54VhgO:KaxRxkxnbZ30

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

pid	Process
3944	rat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
35	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
988	schtasks.exe
2460	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3892	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4344	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1552	NOTEPAD.EXE
4712	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3944	rat.exe
3944	rat.exe
3944	rat.exe
3944	rat.exe
3944	rat.exe
3944	rat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3568	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3620	TelegramRAT.exe
Token: SeDebugPrivilege	4344	tasklist.exe
Token: SeDebugPrivilege	3944	rat.exe
Token: SeDebugPrivilege	3944	rat.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3944	rat.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe
3568	OpenWith.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 988	3620	TelegramRAT.exe	97
PID 3620 wrote to memory of 988	3620	TelegramRAT.exe	97
PID 3620 wrote to memory of 3456	3620	TelegramRAT.exe	99
PID 3620 wrote to memory of 3456	3620	TelegramRAT.exe	99
PID 3456 wrote to memory of 4344	3456	cmd.exe	101
PID 3456 wrote to memory of 4344	3456	cmd.exe	101
PID 3456 wrote to memory of 2672	3456	cmd.exe	102
PID 3456 wrote to memory of 2672	3456	cmd.exe	102
PID 3456 wrote to memory of 3892	3456	cmd.exe	103
PID 3456 wrote to memory of 3892	3456	cmd.exe	103
PID 3456 wrote to memory of 3944	3456	cmd.exe	105
PID 3456 wrote to memory of 3944	3456	cmd.exe	105
PID 3944 wrote to memory of 2460	3944	rat.exe	108
PID 3944 wrote to memory of 2460	3944	rat.exe	108
PID 3568 wrote to memory of 1552	3568	OpenWith.exe	117
PID 3568 wrote to memory of 1552	3568	OpenWith.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp3A.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3620"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2672
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3892
- - C:\a\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:2460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\a\autosteal.lock
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:4500

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\a\bookmarks.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3A.tmp.bat

Filesize
175B

MD5
c443cd4616db54f23e03c8bc930b5a4e

SHA1
7542e9c15a9159b107feea0cb9e7d9a4210baa2d

SHA256
105b18e383e0fc1f1b14241212f0ae5dcac3c5dd010f65b4238e0acff1f706ec

SHA512
128efd1075f69b0e44a7645c5b29d13da0f2abfac339ecb89aaecfba67e80accb9f6c8b7285ead395f9e587141c30ce9af7fa497cfb084630ca5f0fd3b24a9f0

Download Submit
C:\a\bookmarks.txt

Filesize
13B

MD5
61f8a15f0bf3ef90a36796b6cbb7b105

SHA1
9a0893ee4bfb0e58c64902fc4da215dcbec12e3f

SHA256
678150f8aa675320e486b135418a7ed5b546514a5aa808588eccc12fe8cd2130

SHA512
5afb5a40e95b289db50db7aa151a5a526ef04824533fccd0ad3d6ea813cc5621b8009521d7f5db69fbcb1a46640e963427fd6b42721df26f1fbfc89f59a8abab

Download Submit
C:\a\rat.exe

Filesize
140KB

MD5
a7f2f3eb00e6fada6eef7f6d4bad84ac

SHA1
7772bf4e931c3ea67e6d1366b10b495618dd6733

SHA256
70443d8dd1d0b52f392d95b50a3582f5a2038f66a46faeb635bd7dbe73643bcb

SHA512
d133efdaed62350a7fcd05ffd2bd1510a731c6f131a86b54f3e941ffddd450a797bfec205decd7de1b994288fd52ed6f015839b1228720edd0927a3322c7f9d4

Download Submit
memory/3620-0-0x0000018982950000-0x000001898297A000-memory.dmp

Filesize
168KB

Download
memory/3620-1-0x00007FF8A1B10000-0x00007FF8A25D1000-memory.dmp

Filesize
10.8MB

Download
memory/3620-2-0x00000189848C0000-0x00000189848D0000-memory.dmp

Filesize
64KB

Download
memory/3620-7-0x00007FF8A1B10000-0x00007FF8A25D1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-11-0x00007FF8A1B10000-0x00007FF8A25D1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-12-0x00000180FFB30000-0x00000180FFB40000-memory.dmp

Filesize
64KB

Download
memory/3944-14-0x00000180FFEE0000-0x00000180FFEF2000-memory.dmp

Filesize
72KB

Download
memory/3944-15-0x00000180FFED0000-0x00000180FFEDA000-memory.dmp

Filesize
40KB

Download
memory/3944-17-0x00007FF8A1B10000-0x00007FF8A25D1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads