toxiceye | c5ee6af8e3d3bdf216ce505c98458fb68f13360ad6c0cf50487b6bd3f33c52f8

Reason

Machine shutdown

General

Target

TelegramRAT.exe
Size

111KB
MD5

8834c1eaf28b3b076df2a0aac5d1148e
SHA1

640e70c94c0e01492c4c45cf2b23b65914a94cc5
SHA256

49f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a
SHA512

59c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561
SSDEEP

1536:p+bvqJIP4M91qQIwzUrxxxdKy2nBfUbhDqI6CsQWVzCrAZuDZ6Dd:sbvqJe4MUlxxDrbxqHBQWVzCrAZuDQd

Score

10^/10

toxiceye ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7005624592:AAFT1GroRFjOnavaa8nJipFR-iCuYT3f2xQ/sendMessage?chat_id=6235796510

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Renames multiple (265) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TelegramRAT.exerat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

4820 rat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1240 schtasks.exe
4052 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5044 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4536 tasklist.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid process

4820 rat.exe

pid	process
1240	schtasks.exe
4052	schtasks.exe

pid	process
5044	timeout.exe

pid	process
4536	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rat.exe

pid	process
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe
4820	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	3704	TelegramRAT.exe
Token: SeDebugPrivilege	4536	tasklist.exe
Token: SeDebugPrivilege	4820	rat.exe
Token: SeDebugPrivilege	4820	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

4820 rat.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

TelegramRAT.execmd.exerat.execmd.exe

description	pid	process	target process
PID 3704 wrote to memory of 1240	3704	TelegramRAT.exe	schtasks.exe
PID 3704 wrote to memory of 1240	3704	TelegramRAT.exe	schtasks.exe
PID 3704 wrote to memory of 1500	3704	TelegramRAT.exe	cmd.exe
PID 3704 wrote to memory of 1500	3704	TelegramRAT.exe	cmd.exe
PID 1500 wrote to memory of 4536	1500	cmd.exe	tasklist.exe
PID 1500 wrote to memory of 4536	1500	cmd.exe	tasklist.exe
PID 1500 wrote to memory of 1192	1500	cmd.exe	find.exe
PID 1500 wrote to memory of 1192	1500	cmd.exe	find.exe
PID 1500 wrote to memory of 5044	1500	cmd.exe	timeout.exe
PID 1500 wrote to memory of 5044	1500	cmd.exe	timeout.exe
PID 1500 wrote to memory of 4820	1500	cmd.exe	rat.exe
PID 1500 wrote to memory of 4820	1500	cmd.exe	rat.exe
PID 4820 wrote to memory of 4052	4820	rat.exe	schtasks.exe
PID 4820 wrote to memory of 4052	4820	rat.exe	schtasks.exe
PID 4820 wrote to memory of 1832	4820	rat.exe	cmd.exe
PID 4820 wrote to memory of 1832	4820	rat.exe	cmd.exe
PID 1832 wrote to memory of 1892	1832	cmd.exe	notepad.exe
PID 1832 wrote to memory of 1892	1832	cmd.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5573.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5573.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3704"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1192
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5044
- - C:\Users\Admin\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:4052
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c notepad.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\system32\notepad.exe
        
        notepad.exe
        5⤵
        
        PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a071ad59-d4f9-4b90-809d-9a64b4020cd6}\0.1.filtertrie.intermediate.txt.crypted

Filesize
16B

MD5
887f00be33e73bc4cc47a364d7948411

SHA1
4b2cc6e2fb69c0fd73da185f042451f0e9382ed2

SHA256
f83849f65975620b5f76b62b0f05cbc7314b98b405be5217cfe40819c4636eda

SHA512
ce2a04162f32bcf32f882a868650046c8fe4fb99c2a6c9e2f75f4613783c81873cec116c919b9fb937237e1e655fe2514c375a8595e843b9ff27012aff00939a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a071ad59-d4f9-4b90-809d-9a64b4020cd6}\0.2.filtertrie.intermediate.txt.crypted

Filesize
16B

MD5
c528b27e87b15675c55d69bf277635fa

SHA1
ccd5a9a0bd11aef01cd0fa4afb4a9161c17838fb

SHA256
ec0ea706193dd20df0134d39a7d0a4c7b7aded0147823f3189897f270d00fbba

SHA512
d063c50ef11b797ce93b4add941ade6772b27db3f4b2948a0dcc2e288b66bd0f3fe3d25cb9fc5796cc20a24622c8d9c258795716874c399d9f52783fa2aee49e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086821031652.txt.crypted

Filesize
77KB

MD5
1eebf84e10169dc740770edc44193e0a

SHA1
af56e570ffdee0659e22ced099015ebda9eff1d4

SHA256
4bb0223a22fe02648db88fcf3c62849e320e330839c3af03e6c12ad008171b6b

SHA512
2007e4d96bfcdaba504cb18354ad6b581f8164ad5eab02bd3fdbb05716ec6d73225da7ec3f16fbe6d089e51cb3e1c660b18cdda5be03bc29d3f382e44035abd6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092380013040.txt.crypted

Filesize
48KB

MD5
42ade2c7299f8fb4a348b709d76acf4d

SHA1
00c92c164c5a6a93b67b18a9c5be25c8751f676c

SHA256
8207bce99f6c3c62655fe5f95e7ce3e75058d02e14f4dc16ad58cafe8ab6019a

SHA512
11c0348ae652c3bbabc9df497d2fa568c2ba33d3e60fdb986acc244156f9f5132e2cad788a1a6b5d50ac933c4c47d3ec50a6c841dcac56bf8938ac85bf78ceb3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095412638284.txt.crypted

Filesize
66KB

MD5
015fffc0c7b0ecc627aa8582bf2bd7bc

SHA1
e261906333cb8929db64ea4ce29df8033695b1f6

SHA256
dc57145cd03b530555dcb0e7b0cec173df8ba4077d4ef27ee8c553faa65ebeef

SHA512
f2605e6f4e7795f002f6f97fe52d4dede5b307e53a4d8614dedfeb8e9dc7c25482c50c56ca1b288bbb5ac1c1eed73a6b92dbf9d87be26293b782521a85f35fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5573.tmp.bat

Filesize
185B

MD5
e7684450c45794366a5f04f838339e08

SHA1
147c67918e3a0fd95df150b6b03f688da11d5fa2

SHA256
992480cd533e14ab7b7bd3987114896ebdba97d77dd21a9ca46d52336f16c29f

SHA512
d073fc3d33ea5dab0caa581daaa4124b4c3824168fcd7ac487209050793cc426ff0ce09c1aac72c88aa3653e944c1c580511100ce333d32c1c71b4e1ea3848a3

Download Submit
C:\Users\Admin\rat.exe

Filesize
111KB

MD5
8834c1eaf28b3b076df2a0aac5d1148e

SHA1
640e70c94c0e01492c4c45cf2b23b65914a94cc5

SHA256
49f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a

SHA512
59c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561

Download Submit
memory/3704-6-0x00007FFD6EC10000-0x00007FFD6F6D1000-memory.dmp

Filesize
10.8MB

Download
memory/3704-0-0x000001AC846F0000-0x000001AC84712000-memory.dmp

Filesize
136KB

Download
memory/3704-2-0x000001AC9ED90000-0x000001AC9EDA0000-memory.dmp

Filesize
64KB

Download
memory/3704-1-0x00007FFD6EC10000-0x00007FFD6F6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4820-12-0x000002C552B10000-0x000002C552B86000-memory.dmp

Filesize
472KB

Download
memory/4820-11-0x000002C5529E0000-0x000002C552A8A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads