toxiceye | f7514a2e0e612b0b4211c4655fedc3a7052578f38f1bfe131e2213102c164e34

General

Target

TelegramRAT.exe
Size

111KB
MD5

3c6f5e7ca1f0279c860554b7b4dfaf5d
SHA1

15c4baaa666353eb7dd5d28a76aead8bf14bc352
SHA256

f7514a2e0e612b0b4211c4655fedc3a7052578f38f1bfe131e2213102c164e34
SHA512

1c8ac972d4ef27ec0f80e850137a8f19c95c72b97f2dede9c4d0caf007709133a5f2e248f6f04bc6e30fbbea742b8f4ae66a4f3408ab0d00ca48c48865947b09
SSDEEP

1536:l+b6QDWv5IDlOM91qQIwy3xZxdyyKDWfybhDqI6oQWVzCrAZuW5TDx:Ib2IpOLhZxjQbxqHoQWVzCrAZuWRx

Score

10^/10

toxiceye rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7074076538:AAGqOb5C3l0YTijTUMFzandCeulk-NFhSz0/sendMessage?chat_id=5623362319

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TelegramRAT.exedupe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	dupe.exe

Executes dropped EXE 1 IoCs

Processes:

dupe.exe

pid process

3456 dupe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1964 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3332 tasklist.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2776 schtasks.exe
4344 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

dupe.exe

pid process

3456 dupe.exe

pid	process
1964	timeout.exe

pid	process
3332	tasklist.exe

pid	process
2776	schtasks.exe
4344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

dupe.exe

pid	process
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe
3456	dupe.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exedupe.exe

description	pid	process
Token: SeDebugPrivilege	1644	TelegramRAT.exe
Token: SeDebugPrivilege	3332	tasklist.exe
Token: SeDebugPrivilege	3456	dupe.exe
Token: SeDebugPrivilege	3456	dupe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dupe.exe

pid process

3456 dupe.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

TelegramRAT.execmd.exedupe.exe

description	pid	process	target process
PID 1644 wrote to memory of 4344	1644	TelegramRAT.exe	schtasks.exe
PID 1644 wrote to memory of 4344	1644	TelegramRAT.exe	schtasks.exe
PID 1644 wrote to memory of 1732	1644	TelegramRAT.exe	cmd.exe
PID 1644 wrote to memory of 1732	1644	TelegramRAT.exe	cmd.exe
PID 1732 wrote to memory of 3332	1732	cmd.exe	tasklist.exe
PID 1732 wrote to memory of 3332	1732	cmd.exe	tasklist.exe
PID 1732 wrote to memory of 4440	1732	cmd.exe	find.exe
PID 1732 wrote to memory of 4440	1732	cmd.exe	find.exe
PID 1732 wrote to memory of 1964	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 1964	1732	cmd.exe	timeout.exe
PID 1732 wrote to memory of 3456	1732	cmd.exe	dupe.exe
PID 1732 wrote to memory of 3456	1732	cmd.exe	dupe.exe
PID 3456 wrote to memory of 2776	3456	dupe.exe	schtasks.exe
PID 3456 wrote to memory of 2776	3456	dupe.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1644"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4440
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1964
- - C:\Users\Public\Downloads\dupe.exe
    "dupe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Update" /tr "C:\Users\Public\Downloads\dupe.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp91A1.tmp.bat

Filesize
197B

MD5
c2da525f000512df8189879d8a22aaf5

SHA1
2eb898dce2eadae799eff2a1ff18c6c4884d87d5

SHA256
bf0d737a228fb7a80cb635f733bb12bcdd63100f3fca04c4d923843a1147c6e0

SHA512
1a232b28d1ebadcbfc08cba26239969535f33ffc1191c75098f7a963b0ae74b5d07efd959ed6bfa28d226092a8beffc41c058d2e51287a80d80a7d5c748bc89f

Download Submit
C:\Users\Public\Downloads\dupe.exe

Filesize
111KB

MD5
3c6f5e7ca1f0279c860554b7b4dfaf5d

SHA1
15c4baaa666353eb7dd5d28a76aead8bf14bc352

SHA256
f7514a2e0e612b0b4211c4655fedc3a7052578f38f1bfe131e2213102c164e34

SHA512
1c8ac972d4ef27ec0f80e850137a8f19c95c72b97f2dede9c4d0caf007709133a5f2e248f6f04bc6e30fbbea742b8f4ae66a4f3408ab0d00ca48c48865947b09

Download Submit
memory/1644-1-0x000001B77F900000-0x000001B77F922000-memory.dmp

Filesize
136KB

Download
memory/1644-0-0x00007FFF03BF3000-0x00007FFF03BF5000-memory.dmp

Filesize
8KB

Download
memory/1644-2-0x00007FFF03BF0000-0x00007FFF046B1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-6-0x00007FFF03BF0000-0x00007FFF046B1000-memory.dmp

Filesize
10.8MB

Download
memory/3456-11-0x00000168FB360000-0x00000168FB509000-memory.dmp

Filesize
1.7MB

Download
memory/3456-12-0x00000168FB650000-0x00000168FB6FA000-memory.dmp

Filesize
680KB

Download
memory/3456-13-0x00000168FB700000-0x00000168FB776000-memory.dmp

Filesize
472KB

Download
memory/3456-21-0x00000168FB360000-0x00000168FB509000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads