toxiceye | 4090a62dc4c113b58b3cbc28832fcb03dcb33c4c257c5ec65e3c574dbc12db2a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TelegramRAT.exe
Size

140KB
MD5

dfa6fcf1c40b948797c4826414a630de
SHA1

200faa577f4c2c9e6f15d0c01376ca9c16d87250
SHA256

4090a62dc4c113b58b3cbc28832fcb03dcb33c4c257c5ec65e3c574dbc12db2a
SHA512

f4e8ff21aee6d26cc985baa2bcc2b13d51d25b849f8f3ef7fffecc23ecbc092729ec409c2827671736c68a43d98edc896723e04912672aecbad894e381094e53
SSDEEP

3072:ukSfxDxDP+tVofe7UoxvxbKm1/QW4aCrAZ5KLhga:xaxNCLxbZ36

Score

10^/10

toxiceye rat spyware stealer trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

pid	Process
4760	rat.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
452	schtasks.exe
3640	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1584	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3804	tasklist.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2116	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe
4760	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	TelegramRAT.exe
Token: SeDebugPrivilege	3804	tasklist.exe
Token: SeDebugPrivilege	4760	rat.exe
Token: SeDebugPrivilege	4760	rat.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2116	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4760	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 452	2024	TelegramRAT.exe	99
PID 2024 wrote to memory of 452	2024	TelegramRAT.exe	99
PID 2024 wrote to memory of 540	2024	TelegramRAT.exe	101
PID 2024 wrote to memory of 540	2024	TelegramRAT.exe	101
PID 540 wrote to memory of 3804	540	cmd.exe	103
PID 540 wrote to memory of 3804	540	cmd.exe	103
PID 540 wrote to memory of 1004	540	cmd.exe	104
PID 540 wrote to memory of 1004	540	cmd.exe	104
PID 540 wrote to memory of 1584	540	cmd.exe	105
PID 540 wrote to memory of 1584	540	cmd.exe	105
PID 540 wrote to memory of 4760	540	cmd.exe	106
PID 540 wrote to memory of 4760	540	cmd.exe	106
PID 4760 wrote to memory of 3640	4760	rat.exe	109
PID 4760 wrote to memory of 3640	4760	rat.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD66A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD66A.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2024"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1004
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1584
- - C:\a\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:3640

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD66A.tmp.bat

Filesize
175B

MD5
c4b6ff2a55362ba004ca27f1be91f2c9

SHA1
81995d9e6e318501a072207234fc497cffe48fc9

SHA256
7c79d0287fa6de54fce9122c845a9b7c64017d10fa4fc14aa9d94058c3f120c0

SHA512
c11909152cd8d0a6d63729b5fea0977b4053cd53a8dc9bc772d7b1720785a211412734219c0c0af8e6e47d176db1e9c36ccf74924bcca8486237bbbf22e1f6a3

Download Submit
C:\a\rat.exe

Filesize
140KB

MD5
dfa6fcf1c40b948797c4826414a630de

SHA1
200faa577f4c2c9e6f15d0c01376ca9c16d87250

SHA256
4090a62dc4c113b58b3cbc28832fcb03dcb33c4c257c5ec65e3c574dbc12db2a

SHA512
f4e8ff21aee6d26cc985baa2bcc2b13d51d25b849f8f3ef7fffecc23ecbc092729ec409c2827671736c68a43d98edc896723e04912672aecbad894e381094e53

Download Submit
memory/2024-0-0x00000272B6D00000-0x00000272B6D2A000-memory.dmp

Filesize
168KB

Download
memory/2024-1-0x00007FF9840E0000-0x00007FF984BA1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-2-0x00000272B8A80000-0x00000272B8A90000-memory.dmp

Filesize
64KB

Download
memory/2024-6-0x00007FF9840E0000-0x00007FF984BA1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-11-0x00007FF983D00000-0x00007FF9847C1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-12-0x000001ECBFF10000-0x000001ECBFF20000-memory.dmp

Filesize
64KB

Download
memory/4760-15-0x000001ECC1070000-0x000001ECC107A000-memory.dmp

Filesize
40KB

Download
memory/4760-16-0x000001ECBFF10000-0x000001ECBFF20000-memory.dmp

Filesize
64KB

Download
memory/4760-17-0x000001ECC1030000-0x000001ECC1042000-memory.dmp

Filesize
72KB

Download
memory/4760-43-0x00007FF983D00000-0x00007FF9847C1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-44-0x000001ECBFF10000-0x000001ECBFF20000-memory.dmp

Filesize
64KB

Download
memory/4760-45-0x000001ECBFF10000-0x000001ECBFF20000-memory.dmp

Filesize
64KB

Download
memory/4760-46-0x000001ECBFF10000-0x000001ECBFF20000-memory.dmp

Filesize
64KB

Download