toxiceye | 276d53b6f343cffb4e81e6db87b30dce162b82dd2ed9aea49d754cdfba8e865a

General

Target

Win-XwormRat-builder.exe
Size

928KB
MD5

db9df61757cc712eb190955371d24937
SHA1

308155685a2bcc0369a63d1ac2c13c7293cedce7
SHA256

276d53b6f343cffb4e81e6db87b30dce162b82dd2ed9aea49d754cdfba8e865a
SHA512

cf2ab30da84cdee5988c52f08403a33d99f5565839959763aaa4b34745251cc32839e466e7c6c27f83145bc10b55e0f279a4165af58db28156f34aa2b44a921e
SSDEEP

12288:V8pICumxgLj3PSg+Gfqxk01P6RNGZS7yK8g3dviBOEBkCtip/y6Lr9vXjdkpgLMk:p1ixARrLl1/1q+

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Update.exeWin-XwormRat-builder.exewin-xwarm-builder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	Win-XwormRat-builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	win-xwarm-builder.exe

Executes dropped EXE 2 IoCs

Processes:

win-xwarm-builder.exeUpdate.exe

pid process

4840 win-xwarm-builder.exe
2504 Update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3992 schtasks.exe
1468 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3436 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4980 tasklist.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Update.exe

pid process

2504 Update.exe
2504 Update.exe
2504 Update.exe
2504 Update.exe
2504 Update.exe

pid	process
4840	win-xwarm-builder.exe
2504	Update.exe

pid	process
3992	schtasks.exe
1468	schtasks.exe

pid	process
3436	timeout.exe

pid	process
4980	tasklist.exe

pid	process
2504	Update.exe
2504	Update.exe
2504	Update.exe
2504	Update.exe
2504	Update.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

win-xwarm-builder.exetasklist.exeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	4840	win-xwarm-builder.exe
Token: SeDebugPrivilege	4980	tasklist.exe
Token: SeDebugPrivilege	2504	Update.exe
Token: SeDebugPrivilege	2504	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Update.exe

pid process

2504 Update.exe

pid	process
2504	Update.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Win-XwormRat-builder.exewin-xwarm-builder.execmd.exeUpdate.exe

description	pid	process	target process
PID 4692 wrote to memory of 4840	4692	Win-XwormRat-builder.exe	win-xwarm-builder.exe
PID 4692 wrote to memory of 4840	4692	Win-XwormRat-builder.exe	win-xwarm-builder.exe
PID 4840 wrote to memory of 3992	4840	win-xwarm-builder.exe	schtasks.exe
PID 4840 wrote to memory of 3992	4840	win-xwarm-builder.exe	schtasks.exe
PID 4840 wrote to memory of 2968	4840	win-xwarm-builder.exe	cmd.exe
PID 4840 wrote to memory of 2968	4840	win-xwarm-builder.exe	cmd.exe
PID 2968 wrote to memory of 4980	2968	cmd.exe	tasklist.exe
PID 2968 wrote to memory of 4980	2968	cmd.exe	tasklist.exe
PID 2968 wrote to memory of 2232	2968	cmd.exe	find.exe
PID 2968 wrote to memory of 2232	2968	cmd.exe	find.exe
PID 2968 wrote to memory of 3436	2968	cmd.exe	timeout.exe
PID 2968 wrote to memory of 3436	2968	cmd.exe	timeout.exe
PID 2968 wrote to memory of 2504	2968	cmd.exe	Update.exe
PID 2968 wrote to memory of 2504	2968	cmd.exe	Update.exe
PID 2504 wrote to memory of 1468	2504	Update.exe	schtasks.exe
PID 2504 wrote to memory of 1468	2504	Update.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Win-XwormRat-builder.exe
"C:\Users\Admin\AppData\Local\Temp\Win-XwormRat-builder.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 4840"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2232
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3436
  - - C:\Users\Static\Update.exe
      "Update.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5525.tmp.bat

Filesize
195B

MD5
3e6e7ed572917c40774ec2dfb73b36da

SHA1
46e4b2540954ad11de191fa252ca9d5ab4c60c85

SHA256
165cf875dd98ddec219dfd4868d8d1aad4a755537bef6606203e24dc90ed6958

SHA512
1d888dd353e83680e9f33de4c49ec3c76fd5c3078090c5dac19baa11ad9b7c3a656c8c245c40b8e93cd8878f2aca956a841ab26ab42f57922a153df3ca3f9373

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe

Filesize
127KB

MD5
f6f686df785d0abdc66d1f90fa508c4b

SHA1
75f348132001df30cbad9c7cae2e2072fcaca38e

SHA256
61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

SHA512
7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

Download Submit
memory/2504-26-0x00007FFD43AC0000-0x00007FFD44581000-memory.dmp

Filesize
10.8MB

Download
memory/2504-27-0x0000026CE14E0000-0x0000026CE14F0000-memory.dmp

Filesize
64KB

Download
memory/4692-0-0x0000025214FC0000-0x00000252150AE000-memory.dmp

Filesize
952KB

Download
memory/4692-2-0x00007FFD43AC0000-0x00007FFD44581000-memory.dmp

Filesize
10.8MB

Download
memory/4692-3-0x000002522F610000-0x000002522F620000-memory.dmp

Filesize
64KB

Download
memory/4692-17-0x00007FFD43AC0000-0x00007FFD44581000-memory.dmp

Filesize
10.8MB

Download
memory/4840-14-0x000001C5F3B60000-0x000001C5F3B86000-memory.dmp

Filesize
152KB

Download
memory/4840-15-0x00007FFD43AC0000-0x00007FFD44581000-memory.dmp

Filesize
10.8MB

Download
memory/4840-16-0x000001C5F3F70000-0x000001C5F3F80000-memory.dmp

Filesize
64KB

Download
memory/4840-21-0x00007FFD43AC0000-0x00007FFD44581000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads