toxiceye | 276d53b6f343cffb4e81e6db87b30dce162b82dd2ed9aea49d754cdfba8e865a

General

Target

Win-XwormRat-builder.exe
Size

928KB
MD5

db9df61757cc712eb190955371d24937
SHA1

308155685a2bcc0369a63d1ac2c13c7293cedce7
SHA256

276d53b6f343cffb4e81e6db87b30dce162b82dd2ed9aea49d754cdfba8e865a
SHA512

cf2ab30da84cdee5988c52f08403a33d99f5565839959763aaa4b34745251cc32839e466e7c6c27f83145bc10b55e0f279a4165af58db28156f34aa2b44a921e
SSDEEP

12288:V8pICumxgLj3PSg+Gfqxk01P6RNGZS7yK8g3dviBOEBkCtip/y6Lr9vXjdkpgLMk:p1ixARrLl1/1q+

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Executes dropped EXE 2 IoCs

Processes:

win-xwarm-builder.exeUpdate.exe

pid process

620 win-xwarm-builder.exe
772 Update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2608 timeout.exe
348 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2576 tasklist.exe
2824 tasklist.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2792 schtasks.exe
2088 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Update.exe

pid process

772 Update.exe
772 Update.exe
772 Update.exe
772 Update.exe

pid	process
620	win-xwarm-builder.exe
772	Update.exe

pid	process
2608	timeout.exe
348	timeout.exe

pid	process
2576	tasklist.exe
2824	tasklist.exe

pid	process
2792	schtasks.exe
2088	schtasks.exe

pid	process
772	Update.exe
772	Update.exe
772	Update.exe
772	Update.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

win-xwarm-builder.exetasklist.exetasklist.exeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	620	win-xwarm-builder.exe
Token: SeDebugPrivilege	2576	tasklist.exe
Token: SeDebugPrivilege	2824	tasklist.exe
Token: SeDebugPrivilege	772	Update.exe
Token: SeDebugPrivilege	772	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Update.exe

pid process

772 Update.exe

pid	process
772	Update.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Win-XwormRat-builder.exewin-xwarm-builder.execmd.exeUpdate.exe

description	pid	process	target process
PID 2996 wrote to memory of 620	2996	Win-XwormRat-builder.exe	win-xwarm-builder.exe
PID 2996 wrote to memory of 620	2996	Win-XwormRat-builder.exe	win-xwarm-builder.exe
PID 2996 wrote to memory of 620	2996	Win-XwormRat-builder.exe	win-xwarm-builder.exe
PID 2996 wrote to memory of 236	2996	Win-XwormRat-builder.exe	WerFault.exe
PID 2996 wrote to memory of 236	2996	Win-XwormRat-builder.exe	WerFault.exe
PID 2996 wrote to memory of 236	2996	Win-XwormRat-builder.exe	WerFault.exe
PID 620 wrote to memory of 2792	620	win-xwarm-builder.exe	schtasks.exe
PID 620 wrote to memory of 2792	620	win-xwarm-builder.exe	schtasks.exe
PID 620 wrote to memory of 2792	620	win-xwarm-builder.exe	schtasks.exe
PID 620 wrote to memory of 2672	620	win-xwarm-builder.exe	cmd.exe
PID 620 wrote to memory of 2672	620	win-xwarm-builder.exe	cmd.exe
PID 620 wrote to memory of 2672	620	win-xwarm-builder.exe	cmd.exe
PID 2672 wrote to memory of 2576	2672	cmd.exe	tasklist.exe
PID 2672 wrote to memory of 2576	2672	cmd.exe	tasklist.exe
PID 2672 wrote to memory of 2576	2672	cmd.exe	tasklist.exe
PID 2672 wrote to memory of 2992	2672	cmd.exe	find.exe
PID 2672 wrote to memory of 2992	2672	cmd.exe	find.exe
PID 2672 wrote to memory of 2992	2672	cmd.exe	find.exe
PID 2672 wrote to memory of 2608	2672	cmd.exe	timeout.exe
PID 2672 wrote to memory of 2608	2672	cmd.exe	timeout.exe
PID 2672 wrote to memory of 2608	2672	cmd.exe	timeout.exe
PID 2672 wrote to memory of 2824	2672	cmd.exe	tasklist.exe
PID 2672 wrote to memory of 2824	2672	cmd.exe	tasklist.exe
PID 2672 wrote to memory of 2824	2672	cmd.exe	tasklist.exe
PID 2672 wrote to memory of 1748	2672	cmd.exe	find.exe
PID 2672 wrote to memory of 1748	2672	cmd.exe	find.exe
PID 2672 wrote to memory of 1748	2672	cmd.exe	find.exe
PID 2672 wrote to memory of 348	2672	cmd.exe	timeout.exe
PID 2672 wrote to memory of 348	2672	cmd.exe	timeout.exe
PID 2672 wrote to memory of 348	2672	cmd.exe	timeout.exe
PID 2672 wrote to memory of 772	2672	cmd.exe	Update.exe
PID 2672 wrote to memory of 772	2672	cmd.exe	Update.exe
PID 2672 wrote to memory of 772	2672	cmd.exe	Update.exe
PID 772 wrote to memory of 2088	772	Update.exe	schtasks.exe
PID 772 wrote to memory of 2088	772	Update.exe	schtasks.exe
PID 772 wrote to memory of 2088	772	Update.exe	schtasks.exe
PID 772 wrote to memory of 1420	772	Update.exe	WerFault.exe
PID 772 wrote to memory of 1420	772	Update.exe	WerFault.exe
PID 772 wrote to memory of 1420	772	Update.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Win-XwormRat-builder.exe
"C:\Users\Admin\AppData\Local\Temp\Win-XwormRat-builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe
  "C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFBCC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFBCC.tmp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 620"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2992
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2608
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 620"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2824
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:1748
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:348
  - - C:\Users\Static\Update.exe
      "Update.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2088
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 772 -s 1600
        5⤵
        
        PID:1420
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2996 -s 936
  2⤵
  PID:236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFBCC.tmp.bat

Filesize
194B

MD5
fdbd8af7210e941c2f9655140a293d69

SHA1
9d383792f8b39850b9d0dab294cd01c03ff47fe4

SHA256
c2120ea9275419be6f32b0714b2b72bc8c7748d12dfd6d18b2795efd82ec9554

SHA512
1432d43b7b40baac0ee706213b8e374b4ecd8bc9ab1143d6a0c47e2ac6d550c548f538c82f6f495a500ae26546cde2f80b51a9ef0d769cfef9e284c02f7e8fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe

Filesize
127KB

MD5
f6f686df785d0abdc66d1f90fa508c4b

SHA1
75f348132001df30cbad9c7cae2e2072fcaca38e

SHA256
61b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f

SHA512
7daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77

Download Submit
memory/620-8-0x0000000001390000-0x00000000013B6000-memory.dmp

Filesize
152KB

Download
memory/620-9-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/620-10-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/620-15-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/772-19-0x0000000001060000-0x0000000001086000-memory.dmp

Filesize
152KB

Download
memory/2996-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/2996-1-0x00000000013A0000-0x000000000148E000-memory.dmp

Filesize
952KB

Download
memory/2996-6-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-11-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads