toxiceye | 3838e7e11bf662f1aa1f2ab3f253f28ae6f901b9990ea30463a5be286ecaf930

General

Target

TelegramRAT.exe
Size

111KB
MD5

86d8a483339d3ac873ae2c49db336ee8
SHA1

5745657762bb4a5dd51a366ddf09cee57e2ef88a
SHA256

3838e7e11bf662f1aa1f2ab3f253f28ae6f901b9990ea30463a5be286ecaf930
SHA512

60b32c56081712ebd581162d34abba2d55b2ecf917d703d62a6364b552cb58569e9cc32ede4296c5b76228520c52c1cc883d079b3f29df9afd9cf5d31912e3d8
SSDEEP

3072:ab4MOYUuQaS+T8sv8X31OjqOjNhOYRbxqH8QWczCrAZugjV:/YUuQaS+T8sv8X31OXNVbgP

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7530098852:AAGdvqJSNhZQt0RWkSJfG_yuTMTBKVgdCNU/sendMessage?chat_id=6686041459

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TelegramRAT.exerat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

5104 rat.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1904 tasklist.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

768 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3516 schtasks.exe
3436 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid process

5104 rat.exe

pid	process
1904	tasklist.exe

pid	process
768	timeout.exe

pid	process
3516	schtasks.exe
3436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

rat.exe

pid	process
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe
5104	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TelegramRAT.exetasklist.exerat.exe

description	pid	process
Token: SeDebugPrivilege	4044	TelegramRAT.exe
Token: SeDebugPrivilege	1904	tasklist.exe
Token: SeDebugPrivilege	5104	rat.exe
Token: SeDebugPrivilege	5104	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

5104 rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

TelegramRAT.execmd.exerat.exe

description	pid	process	target process
PID 4044 wrote to memory of 3516	4044	TelegramRAT.exe	schtasks.exe
PID 4044 wrote to memory of 3516	4044	TelegramRAT.exe	schtasks.exe
PID 4044 wrote to memory of 2948	4044	TelegramRAT.exe	cmd.exe
PID 4044 wrote to memory of 2948	4044	TelegramRAT.exe	cmd.exe
PID 2948 wrote to memory of 1904	2948	cmd.exe	tasklist.exe
PID 2948 wrote to memory of 1904	2948	cmd.exe	tasklist.exe
PID 2948 wrote to memory of 3948	2948	cmd.exe	find.exe
PID 2948 wrote to memory of 3948	2948	cmd.exe	find.exe
PID 2948 wrote to memory of 768	2948	cmd.exe	timeout.exe
PID 2948 wrote to memory of 768	2948	cmd.exe	timeout.exe
PID 2948 wrote to memory of 5104	2948	cmd.exe	rat.exe
PID 2948 wrote to memory of 5104	2948	cmd.exe	rat.exe
PID 5104 wrote to memory of 3436	5104	rat.exe	schtasks.exe
PID 5104 wrote to memory of 3436	5104	rat.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 4044"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3948
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:768
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp.bat

Filesize
188B

MD5
3b48a33716d2c4a97f43c6631facbc4a

SHA1
23890b290b22e5b9efc6f43dd3d25b627235b6a0

SHA256
d0f6786cfc9b1f135c90f61ff4fdc6795247b6541a8613204fcc1085ed568660

SHA512
b07d1893f67ceb4dfe652aa60e25ccb4f22d0a40c7dfab76792882b4ef6006619721c8b9d349b783c41bd0cb74cbbf359344a21335caeac2ffb69631f94a7b83

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
86d8a483339d3ac873ae2c49db336ee8

SHA1
5745657762bb4a5dd51a366ddf09cee57e2ef88a

SHA256
3838e7e11bf662f1aa1f2ab3f253f28ae6f901b9990ea30463a5be286ecaf930

SHA512
60b32c56081712ebd581162d34abba2d55b2ecf917d703d62a6364b552cb58569e9cc32ede4296c5b76228520c52c1cc883d079b3f29df9afd9cf5d31912e3d8

Download Submit
memory/4044-0-0x00007FFA20C73000-0x00007FFA20C75000-memory.dmp

Filesize
8KB

Download
memory/4044-1-0x00000277DE370000-0x00000277DE392000-memory.dmp

Filesize
136KB

Download
memory/4044-2-0x00007FFA20C70000-0x00007FFA21731000-memory.dmp

Filesize
10.8MB

Download
memory/4044-7-0x00007FFA20C70000-0x00007FFA21731000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads