toxiceye | f23dac3626300010fbfdedaec9cf07d0890b3acec0190283ecb0b545de22ecb8

General

Target

378b0ac112a719e6d5f8b31603877690N.exe
Size

119KB
MD5

378b0ac112a719e6d5f8b31603877690
SHA1

27c6e0cdee370a6ff54efc949727c9076870dcab
SHA256

f23dac3626300010fbfdedaec9cf07d0890b3acec0190283ecb0b545de22ecb8
SHA512

c0788079b2bc9dfafc3b5cb48b45f33974bb26004b3d3c07893fdde8c56e5cd0409b3b82c7313ddfb89d31de9580ddb0be4ab3604dd49b85fc3674ec6f130588
SSDEEP

3072:qOfRzlXCwwFwOwWAmm+m/bxqH8QWrzCrAZu8VDpyD/d+OC:qr1SWH+/bgi1VDpyD/Y

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7335066800:AAFPnjqCOJcJkOIGjmU_-X7I-VqiZLlbktE/sendMessage?chat_id=1319796723

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

760 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

2616 rat.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3008 tasklist.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1284 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2776 schtasks.exe
2620 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid process

2616 rat.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rat.exe

pid process

2616 rat.exe
2616 rat.exe
2616 rat.exe
2616 rat.exe

pid	process
760	cmd.exe

pid	process
2616	rat.exe

pid	process
3008	tasklist.exe

pid	process
1284	timeout.exe

pid	process
2776	schtasks.exe
2620	schtasks.exe

pid	process
2616	rat.exe

pid	process
2616	rat.exe
2616	rat.exe
2616	rat.exe
2616	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

378b0ac112a719e6d5f8b31603877690N.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	2292	378b0ac112a719e6d5f8b31603877690N.exe
Token: SeDebugPrivilege	3008	tasklist.exe
Token: SeDebugPrivilege	2616	rat.exe
Token: SeDebugPrivilege	2616	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

2616 rat.exe

pid	process
2616	rat.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

378b0ac112a719e6d5f8b31603877690N.execmd.exerat.exe

description	pid	process	target process
PID 2292 wrote to memory of 2776	2292	378b0ac112a719e6d5f8b31603877690N.exe	schtasks.exe
PID 2292 wrote to memory of 2776	2292	378b0ac112a719e6d5f8b31603877690N.exe	schtasks.exe
PID 2292 wrote to memory of 2776	2292	378b0ac112a719e6d5f8b31603877690N.exe	schtasks.exe
PID 2292 wrote to memory of 760	2292	378b0ac112a719e6d5f8b31603877690N.exe	cmd.exe
PID 2292 wrote to memory of 760	2292	378b0ac112a719e6d5f8b31603877690N.exe	cmd.exe
PID 2292 wrote to memory of 760	2292	378b0ac112a719e6d5f8b31603877690N.exe	cmd.exe
PID 760 wrote to memory of 3008	760	cmd.exe	tasklist.exe
PID 760 wrote to memory of 3008	760	cmd.exe	tasklist.exe
PID 760 wrote to memory of 3008	760	cmd.exe	tasklist.exe
PID 760 wrote to memory of 2168	760	cmd.exe	find.exe
PID 760 wrote to memory of 2168	760	cmd.exe	find.exe
PID 760 wrote to memory of 2168	760	cmd.exe	find.exe
PID 760 wrote to memory of 1284	760	cmd.exe	timeout.exe
PID 760 wrote to memory of 1284	760	cmd.exe	timeout.exe
PID 760 wrote to memory of 1284	760	cmd.exe	timeout.exe
PID 760 wrote to memory of 2616	760	cmd.exe	rat.exe
PID 760 wrote to memory of 2616	760	cmd.exe	rat.exe
PID 760 wrote to memory of 2616	760	cmd.exe	rat.exe
PID 2616 wrote to memory of 2620	2616	rat.exe	schtasks.exe
PID 2616 wrote to memory of 2620	2616	rat.exe	schtasks.exe
PID 2616 wrote to memory of 2620	2616	rat.exe	schtasks.exe
PID 2616 wrote to memory of 2600	2616	rat.exe	WerFault.exe
PID 2616 wrote to memory of 2600	2616	rat.exe	WerFault.exe
PID 2616 wrote to memory of 2600	2616	rat.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\378b0ac112a719e6d5f8b31603877690N.exe
"C:\Users\Admin\AppData\Local\Temp\378b0ac112a719e6d5f8b31603877690N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp98E5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp98E5.tmp.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2292"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2168
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1284
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2620
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2616 -s 1672
      4⤵
      PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp98E5.tmp.bat

Filesize
210B

MD5
fb1dbc6057f9f862e5ac45f72284be90

SHA1
2e40ecd32320fc2fe771b04154660f5d94254986

SHA256
069ba12902afd0cc5af4829fb76f2c65a572b8d33d39b6604b44dfc3c9066368

SHA512
caff43728a1c570985ee119616f323ec6fe2d5e7a8aee107feacde7fa62c3ece6d1cb50b25ee1e37cf9e10c2f0ab48c65219c378eb810a38623940c482eb85d6

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
119KB

MD5
378b0ac112a719e6d5f8b31603877690

SHA1
27c6e0cdee370a6ff54efc949727c9076870dcab

SHA256
f23dac3626300010fbfdedaec9cf07d0890b3acec0190283ecb0b545de22ecb8

SHA512
c0788079b2bc9dfafc3b5cb48b45f33974bb26004b3d3c07893fdde8c56e5cd0409b3b82c7313ddfb89d31de9580ddb0be4ab3604dd49b85fc3674ec6f130588

Download Submit
memory/2292-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000000350000-0x0000000000374000-memory.dmp

Filesize
144KB

Download
memory/2292-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2292-6-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2616-10-0x0000000000D10000-0x0000000000D34000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads