Overview

overview

10

Static

static

3

Toxic Tool v2.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Toxic Tool v2.exe

  • Size

    125KB

  • Sample

    240723-wrb14avdma

  • MD5

    43377f23d320433968011c32860bc785

  • SHA1

    f9116c2c2e45a14a6ebd2b5c70dcff69551fa565

  • SHA256

    f29a44beb08b8f458f0df8ece25dd915017fc9db561daa4ea9b3b5e2d8b2b83c

  • SHA512

    a10f1c063525eeca7f9d8ac37668d41c4cb457e27158189580f78d0827f7d419cb3728cfb2386298b2706cf3a28784bd7ae49615019c3fbb1d1097a7e8ddf93a

  • SSDEEP

    3072:y7DhdC6kzWypvaQ0FxyNTBfX2dMKYdHWOph1mSjVlGt:yBlkZvaF4NTB/9dHWeh1ba

Score
10/10
agilenetbootkitdefense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Targets

    • Target

      Toxic Tool v2.exe

    • Size

      125KB

    • MD5

      43377f23d320433968011c32860bc785

    • SHA1

      f9116c2c2e45a14a6ebd2b5c70dcff69551fa565

    • SHA256

      f29a44beb08b8f458f0df8ece25dd915017fc9db561daa4ea9b3b5e2d8b2b83c

    • SHA512

      a10f1c063525eeca7f9d8ac37668d41c4cb457e27158189580f78d0827f7d419cb3728cfb2386298b2706cf3a28784bd7ae49615019c3fbb1d1097a7e8ddf93a

    • SSDEEP

      3072:y7DhdC6kzWypvaQ0FxyNTBfX2dMKYdHWOph1mSjVlGt:yBlkZvaF4NTB/9dHWeh1ba

    Score
    10/10
    agilenetbootkitdefense_evasiondiscoveryevasionpersistencetrojanupx

    • UAC bypass

      evasiontrojan

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks