toxiceye | HWIDSpoofer[.]rar

Sharing

Copy URL

Twitter E-mail

General

Target

HWIDSpoofer.rar
Size

111KB
MD5

ad58dc2f2b6fed60f3414ca464981db0
SHA1

2a61b980f2a9638d8ea8f99c9bb93bf991eb3a59
SHA256

a19b644a6ecb9e91073f92dfb3765572a2fa41c2ed9a61e28572e4ffbc0c9182
SHA512

eee0907d0eed38026e12eaf35717e812750d2c03a3fd004a20a2ac3f2a1dd5775ee2886de321d9aa9b54cdf5f0b8e0aa17cb92e717867d5483c83475cb0c247a
SSDEEP

3072:88WQdwnKiEHxqtKWk/9EM9jLLvl7X0gX0nKgSfoaL:881GqRSlbMdLLd7XbHL

Score

10^/10

toxiceye

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot6475062216:AAHUdtxf0NkcapidE5Yky51TkMsdNHz7A40/sendMessage?chat_id=5054582116

Signatures

Toxiceye family
toxiceye

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/HWIDSpoofer/AudioSwitcher.AudioApi.CoreAudio.dll
unpack001/HWIDSpoofer/AudioSwitcher.AudioApi.dll
unpack001/HWIDSpoofer/HWIDSpoofer.exe

Files

HWIDSpoofer.rar
.rar

Password: infected
HWIDSpoofer/AudioSwitcher.AudioApi.CoreAudio.dll
.dll windows:4 windows x86 arch:x86

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

mscoree

_CorDllMain

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
HWIDSpoofer/AudioSwitcher.AudioApi.dll
.dll windows:4 windows x86 arch:x86

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Dev\AudioSwitcher\AudioSwitcher.AudioApi\obj\Release\AudioSwitcher.AudioApi.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
HWIDSpoofer/HWIDSpoofer.exe
.exe windows:4 windows x86 arch:x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\oleeb\Desktop\ToxicEye-master\TelegramRAT\TelegramRAT\obj\Debug\HWIDSpoofer.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
HWIDSpoofer/Sodium.dll
.dll windows:4 windows x86 arch:x86

Password: infected

dae02f32a21e03ce65412f6e56942daa

Code Sign

fe:67:e4:f1:5a:24:e3:c6:0d:54:7c:a0:20:c2:76:70
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

08-03-2016 13:10

Not After

30-05-2027 13:10

Subject

CN=Certum EV TSA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

6b:32:6a:0f:03:28:d3:7a:1d:53:0b:fd:23:bd:48:e2
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

29-10-2015 11:30

Not After

09-06-2027 11:30

Subject

CN=Certum Code Signing CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

32:d4:13:46:5a:84:6b:de:66:36:8b:8a:33:82:f5:bf
Certificate

Issuer

CN=Certum Code Signing CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

07-07-2016 17:27

Not After

07-07-2017 17:27

Subject

CN=Open Source Developer\, Adam Caudill,O=Open Source Developer,C=US,1.2.840.113549.1.9.1=#0c146164616d406164616d63617564696c6c2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

b0:83:5d:ce:39:95:7b:dc:65:e9:78:8d:ff:22:7e:c0:bf:64:45:15:c7:05:78:0e:60:9d:ff:13:dc:f4:c0:a6
Signer

Actual PE Digest

b0:83:5d:ce:39:95:7b:dc:65:e9:78:8d:ff:22:7e:c0:bf:64:45:15:c7:05:78:0e:60:9d:ff:13:dc:f4:c0:a6

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\Adam\Documents\GitHub\libsodium-net\libsodium-net\obj\Release\Sodium.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 972B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 73KB - Virtual size: 73KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: infected

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 38KB - Virtual size: 37KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 117KB - Virtual size: 116KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: infected

dae02f32a21e03ce65412f6e56942daa

Code Sign

fe:67:e4:f1:5a:24:e3:c6:0d:54:7c:a0:20:c2:76:70Certificate

Extended Key Usages

Key Usages

6b:32:6a:0f:03:28:d3:7a:1d:53:0b:fd:23:bd:48:e2Certificate

Extended Key Usages

Key Usages

32:d4:13:46:5a:84:6b:de:66:36:8b:8a:33:82:f5:bfCertificate

Extended Key Usages

Key Usages

b0:83:5d:ce:39:95:7b:dc:65:e9:78:8d:ff:22:7e:c0:bf:64:45:15:c7:05:78:0e:60:9d:ff:13:dc:f4:c0:a6Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

mscoree

Sections

.text Size: 52KB - Virtual size: 52KB

.rsrc Size: 1024B - Virtual size: 972B

.reloc Size: 512B - Virtual size: 12B

.text
Size: 73KB - Virtual size: 73KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 38KB - Virtual size: 37KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 117KB - Virtual size: 116KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

fe:67:e4:f1:5a:24:e3:c6:0d:54:7c:a0:20:c2:76:70
Certificate

6b:32:6a:0f:03:28:d3:7a:1d:53:0b:fd:23:bd:48:e2
Certificate

32:d4:13:46:5a:84:6b:de:66:36:8b:8a:33:82:f5:bf
Certificate

b0:83:5d:ce:39:95:7b:dc:65:e9:78:8d:ff:22:7e:c0:bf:64:45:15:c7:05:78:0e:60:9d:ff:13:dc:f4:c0:a6
Signer

.text
Size: 52KB - Virtual size: 52KB

.rsrc
Size: 1024B - Virtual size: 972B

.reloc
Size: 512B - Virtual size: 12B