toxiceye | c5ee6af8e3d3bdf216ce505c98458fb68f13360ad6c0cf50487b6bd3f33c52f8

General

Target

TelegramRAT.exe
Size

111KB
MD5

8834c1eaf28b3b076df2a0aac5d1148e
SHA1

640e70c94c0e01492c4c45cf2b23b65914a94cc5
SHA256

49f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a
SHA512

59c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561
SSDEEP

1536:p+bvqJIP4M91qQIwzUrxxxdKy2nBfUbhDqI6CsQWVzCrAZuDZ6Dd:sbvqJe4MUlxxDrbxqHBQWVzCrAZuDQd

Score

10^/10

toxiceye ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7005624592:AAFT1GroRFjOnavaa8nJipFR-iCuYT3f2xQ/sendMessage?chat_id=6235796510

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Renames multiple (254) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TelegramRAT.exerat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

2196 rat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4856 schtasks.exe
3740 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2828 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5028 tasklist.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid process

2196 rat.exe

pid	process
4856	schtasks.exe
3740	schtasks.exe

pid	process
2828	timeout.exe

pid	process
5028	tasklist.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rat.exe

pid	process
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe
2196	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	3124	TelegramRAT.exe
Token: SeDebugPrivilege	5028	tasklist.exe
Token: SeDebugPrivilege	2196	rat.exe
Token: SeDebugPrivilege	2196	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

2196 rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

TelegramRAT.execmd.exerat.exe

description	pid	process	target process
PID 3124 wrote to memory of 4856	3124	TelegramRAT.exe	schtasks.exe
PID 3124 wrote to memory of 4856	3124	TelegramRAT.exe	schtasks.exe
PID 3124 wrote to memory of 2616	3124	TelegramRAT.exe	cmd.exe
PID 3124 wrote to memory of 2616	3124	TelegramRAT.exe	cmd.exe
PID 2616 wrote to memory of 5028	2616	cmd.exe	tasklist.exe
PID 2616 wrote to memory of 5028	2616	cmd.exe	tasklist.exe
PID 2616 wrote to memory of 396	2616	cmd.exe	find.exe
PID 2616 wrote to memory of 396	2616	cmd.exe	find.exe
PID 2616 wrote to memory of 2828	2616	cmd.exe	timeout.exe
PID 2616 wrote to memory of 2828	2616	cmd.exe	timeout.exe
PID 2616 wrote to memory of 2196	2616	cmd.exe	rat.exe
PID 2616 wrote to memory of 2196	2616	cmd.exe	rat.exe
PID 2196 wrote to memory of 3740	2196	rat.exe	schtasks.exe
PID 2196 wrote to memory of 3740	2196	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp31DD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp31DD.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3124"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:396
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2828
- - C:\Users\Admin\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7aecc611-26d7-49be-ae95-c7e71c0ec540}\0.1.filtertrie.intermediate.txt.crypted

Filesize
16B

MD5
4b63a8b6da902d17aba6043baae8fef6

SHA1
b89736178917de303da781aad4be703a8c43b4ac

SHA256
3e2e5b6dbfdb31a4d47ac9b5c41a0b63ce226b60d14f6d3c67937983259261ae

SHA512
11f6b3d4489a1699f015abb3dc90abc6dc418b1a3439e379451380c993628e47555da078d302cf2a5b257d2e961e448febe0012622ba8ebc21985228fb7e7097

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7aecc611-26d7-49be-ae95-c7e71c0ec540}\0.2.filtertrie.intermediate.txt.crypted

Filesize
16B

MD5
b5e7fbc99ce2cd65bc2e946e895643e5

SHA1
99f444d6cdbb916c92f225cd1bb829341822157d

SHA256
04844c82305d42c375955970552be0f4671132f2a238c75304deffa86456a309

SHA512
f1e1d37533e9db1b375047346d0c882e10b733e447ec9c09ea9497357717adb3734f60ccedba0c03106276c991c0dccc01410edef081f7c1c6e28516314ef1b7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086595780251.txt.crypted

Filesize
77KB

MD5
7130187265254a909f0124b37a4bbc01

SHA1
66bdda2642e46149cfafbd105ee33d9ff6803180

SHA256
ce9e4f35282616dfa16ae8463fe97ba0445f8f2059c91c855598129b40c9bbc4

SHA512
b1cced85a673e5f36e17c943921285b655f8f62bb1e8291cc816a9fb0d6331fe10f210b10e9294a607e5f2706e30dfe4489b39e00fa3bdaa1186cbca863713a3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088460765966.txt.crypted

Filesize
47KB

MD5
9fd976dbeabfafd7c405f4fcfdb06bc1

SHA1
972bcd96030b88062b889708a6a31fd96a44188e

SHA256
78ab1f7f6fb59c3c502945ca270fe8e68a7a83203192264d8b4c21d143c6fbb5

SHA512
879db9dc7030a58537b8fbb0badb6cb8bf5dd44240326981dffc6633bd5334f9ce093a2a28925011ba29225f45364553885723e733e276b940b1fd8dd3364c7e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586094498261003.txt.crypted

Filesize
66KB

MD5
6d5660dd3b0489982fb07a7984f15053

SHA1
bde5b25ae85383a10fd40fc8e9fe7d0d082e48dd

SHA256
c68d605c75e6212a6e6de8cd6b74457dc675665b3cf8b8dfef200ec27c699dc3

SHA512
21523d0bd87b90d21dadbc249be081b93781385abcbe4f03394fd583c3ca6020d5911e311c0f2b25027dc9617a1a86fc33616276ea105796d7b2efafc1fa885e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31DD.tmp.bat

Filesize
185B

MD5
e869df259004674046692bdabb111166

SHA1
334357eff7bb838183215ee5a729e0a1bf410df7

SHA256
f61792e80bd37ec0a4bbf944014ccfd3daefb7ecfde261ee5d0f3091d9d34426

SHA512
7b38f0fb4d741086ba102432fe5a6e1a081a6eb41f5f3ca48259d06168ee83d5a550f9c0745b683f0a97dd21b2023b7f70a5386bfde2a8b049a78e7526af2687

Download Submit
C:\Users\Admin\rat.exe

Filesize
111KB

MD5
8834c1eaf28b3b076df2a0aac5d1148e

SHA1
640e70c94c0e01492c4c45cf2b23b65914a94cc5

SHA256
49f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a

SHA512
59c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561

Download Submit
memory/2196-11-0x000001CEED300000-0x000001CEED3AA000-memory.dmp

Filesize
680KB

Download
memory/2196-12-0x000001CEED430000-0x000001CEED4A6000-memory.dmp

Filesize
472KB

Download
memory/2196-267-0x000001CEECF10000-0x000001CEED0B9000-memory.dmp

Filesize
1.7MB

Download
memory/3124-0-0x000002279E2C0000-0x000002279E2E2000-memory.dmp

Filesize
136KB

Download
memory/3124-7-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-1-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/3124-2-0x00000227B88D0000-0x00000227B88E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads