toxiceye | 02c7134832ad61cbc849dc3a86b760dd2e0d8b8006ef9a528c49f58c58ad4754

General

Target

RookieSideloader2.4.2.exe
Size

175KB
MD5

b6fc8d9f29f88a28b503dd7d5f07845f
SHA1

d8013873cca8bd22f645462b6a61a5b93fe9e8ac
SHA256

02c7134832ad61cbc849dc3a86b760dd2e0d8b8006ef9a528c49f58c58ad4754
SHA512

611d02f2fe66bab5a7a8959d21179caf4162c52a38867d0e35eccba2db56321f196a4165b9a89c87029b7a6ea8b4f8bdaa8f645c93a260ddc92671e50e654139
SSDEEP

1536:C+bAQAsnqLoM91qQIwxUZXnLoBn0x4HbhSqI64QWmzCrAZuoQtpV:FbKsnwo0WPaboqH4QWmzCrAZuoMV

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot6984690567:AAGHPW4k4aUBr_HzwNyCVuOcTuDnmw8Xzuw/sendMessage?chat_id=6751370598

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	RookieSideloader2.4.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

pid	Process
3080	rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4840	schtasks.exe
5096	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
492	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3668	tasklist.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3080	rat.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe
3080	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	RookieSideloader2.4.2.exe
Token: SeDebugPrivilege	3668	tasklist.exe
Token: SeDebugPrivilege	3080	rat.exe
Token: SeDebugPrivilege	3080	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3080	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4840	4564	RookieSideloader2.4.2.exe	88
PID 4564 wrote to memory of 4840	4564	RookieSideloader2.4.2.exe	88
PID 4564 wrote to memory of 5008	4564	RookieSideloader2.4.2.exe	90
PID 4564 wrote to memory of 5008	4564	RookieSideloader2.4.2.exe	90
PID 5008 wrote to memory of 3668	5008	cmd.exe	92
PID 5008 wrote to memory of 3668	5008	cmd.exe	92
PID 5008 wrote to memory of 4808	5008	cmd.exe	93
PID 5008 wrote to memory of 4808	5008	cmd.exe	93
PID 5008 wrote to memory of 492	5008	cmd.exe	95
PID 5008 wrote to memory of 492	5008	cmd.exe	95
PID 5008 wrote to memory of 3080	5008	cmd.exe	96
PID 5008 wrote to memory of 3080	5008	cmd.exe	96
PID 3080 wrote to memory of 5096	3080	rat.exe	101
PID 3080 wrote to memory of 5096	3080	rat.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RookieSideloader2.4.2.exe
"C:\Users\Admin\AppData\Local\Temp\RookieSideloader2.4.2.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp598A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp598A.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4564"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3668
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4808
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:492
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Creates scheduled task(s)
      PID:5096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp598A.tmp.bat

Filesize
198B

MD5
e7487438f19829c1653082fc7ba4156e

SHA1
912f1290220f4650331942260547f6c063763d71

SHA256
f9a1a079db77569a7d4af14e6485fd9eeac3df7a0c81bce3e595734528b54dbf

SHA512
f94e69ce5824bedac511266d1b83149ce032c842b70f224673940074ad9be3f3d3af2d1deba327d1a7183168e0c77914daff0b41b8a968f317d06c03c98bea38

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
175KB

MD5
b6fc8d9f29f88a28b503dd7d5f07845f

SHA1
d8013873cca8bd22f645462b6a61a5b93fe9e8ac

SHA256
02c7134832ad61cbc849dc3a86b760dd2e0d8b8006ef9a528c49f58c58ad4754

SHA512
611d02f2fe66bab5a7a8959d21179caf4162c52a38867d0e35eccba2db56321f196a4165b9a89c87029b7a6ea8b4f8bdaa8f645c93a260ddc92671e50e654139

Download Submit
memory/3080-11-0x0000026BF69C0000-0x0000026BF6A6A000-memory.dmp

Filesize
680KB

Download
memory/3080-12-0x0000026BF6AF0000-0x0000026BF6B66000-memory.dmp

Filesize
472KB

Download
memory/4564-0-0x00007FFCB8943000-0x00007FFCB8945000-memory.dmp

Filesize
8KB

Download
memory/4564-1-0x000001A395390000-0x000001A3953C2000-memory.dmp

Filesize
200KB

Download
memory/4564-2-0x00007FFCB8940000-0x00007FFCB9401000-memory.dmp

Filesize
10.8MB

Download
memory/4564-6-0x00007FFCB8940000-0x00007FFCB9401000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads