Overview

overview

10

Static

static

3

Release.exe

windows10-2004-x64

Release.exe

windows11-21h2-x64

Analysis

  • max time kernel
    7s
  • max time network
    8s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-10-2024 21:53

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Release.exe

  • Size

    597KB

  • MD5

    606053f855e7969e596bfce116360cd4

  • SHA1

    78c4bf47fa78eca3a89d1061d21275836902d5c6

  • SHA256

    2d7d41e9ed34a165cd45ef6e9700c5d70d43cd3e9a2686389cd667bd5d2a30ef

  • SHA512

    85e40a1b11db1ef340e5c794315046e8db047963228f1780bc47356a8ff52e4c1beb72acbdd83709aca898ef7194f224d1b13e6bcca4efb28ec61d1df1d057f5

  • SSDEEP

    12288:yyveQB/fTHIGaPkKEYzURNAwbAgOT+t1R2RxoC/aHK09Tp:yuDXTIGaPhEYzUzA0bsWjT

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7370990677:AAFRG5SGghnaK_mDZqGyrOAkScygRIFkkzQ/sendMessage?chat_id=7315171848

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Release.exe
    "C:\Users\Admin\AppData\Local\Temp\Release.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
      "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4008
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB95D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB95D.tmp.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\system32\tasklist.exe
          Tasklist /fi "PID eq 3000"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4540
        • C:\Windows\system32\find.exe
          find ":"
          4⤵
            PID:3596
          • C:\Windows\system32\timeout.exe
            Timeout /T 1 /Nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:1808
          • C:\Users\CyberEye\rat.exe
            "rat.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:572
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
      Filesize

      136KB

      MD5

      8aadaaa1bd0395908abe7632ae27b08c

      SHA1

      71b37ca8b03ec620647141ec91f2f1eb4042450f

      SHA256

      8d11819be351083a53b4e50a722c4bb81e19ac0a4ac69409102d50e79094d336

      SHA512

      170acad3a55677ead5e7e471c1b648d26925d77457e1e821879c8ab7efb9a8773b50192099e0993c6174f4b044421865021f3ce98386f13c23732373a38f55ef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe.config
      Filesize

      161B

      MD5

      c16b0746faa39818049fe38709a82c62

      SHA1

      3fa322fe6ed724b1bc4fd52795428a36b7b8c131

      SHA256

      d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad

      SHA512

      cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpB95D.tmp.bat
      Filesize

      188B

      MD5

      bb6de4f022c6aea7622df42e2b830708

      SHA1

      e4d24d5d984c3a7a28ea3cd20def91d2a7330cff

      SHA256

      81dd6f59d3b31fa21de63857f9c31e56c595538c610b763f2836a68470a70f21

      SHA512

      769ffbda2de2ebc343de96389ce110625815ec27feacbab5a5d012ca5ebe77bb6229cf8a36312896f6edebf18e5efb24e76a56584f57b903d99ab855d907680a

      Download Submit

    • memory/3000-23-0x00007FF9D2A33000-0x00007FF9D2A35000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3000-24-0x000001AC0BC90000-0x000001AC0BCB8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/3000-25-0x00007FF9D2A30000-0x00007FF9D34F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3000-30-0x00007FF9D2A30000-0x00007FF9D34F2000-memory.dmp

      Filesize

      10.8MB

      Download