Overview

overview

10

Static

static

3

J9cvjahsghfAP2s.exe

windows10-1703-x64

10

J9cvjahsghfAP2s.exe

windows10-2004-x64

Analysis

  • max time kernel
    57s
  • max time network
    65s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-10-2024 21:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    J9cvjahsghfAP2s.exe

  • Size

    16.3MB

  • MD5

    0392831eef744779930426841e250ec0

  • SHA1

    f9d7d82a92bdc7c8598d393edae73ca1b6ed015e

  • SHA256

    a65b1b62f767ef61e1711c0a83157c1e1d01e0c2eace65e616c837fc1e44dbe7

  • SHA512

    dbd9e9020ba51db9a71cd435894581e3f1260436cf7690783df00917bce815a2bec45c85592c16eb5aa75937c6cbcd1959f4d95de510cc3174945d3186f74b42

  • SSDEEP

    393216:914I2ZOl6M5PdlNYHeWcHXe0xE6TNJWAikay8d+Lc0xk3S1vk:b4I2bM9dlN+XsXesESJWZd+LFki1

Score
10/10
toxiceyedefense_evasiondiscoveryevasionrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7642478923:AAEwlRnbjjNP8kHPrxLhm3a8vkSUNuUfWL0/sendMessage?chat_id=7824954161

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\J9cvjahsghfAP2s.exe
    "C:\Users\Admin\AppData\Local\Temp\J9cvjahsghfAP2s.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAZwByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAcABrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYwBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AdABiACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3848
    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
      "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4404
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF1F1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF1F1.tmp.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4644
        • C:\Windows\system32\tasklist.exe
          Tasklist /fi "PID eq 3852"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:3180
        • C:\Windows\system32\find.exe
          find ":"
          4⤵
            PID:60
          • C:\Windows\system32\timeout.exe
            Timeout /T 1 /Nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:3260
          • C:\Users\ToxicEye\rat.exe
            "rat.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2264
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:684
      • C:\Users\Admin\AppData\Local\Temp\GcYPoQg2gjwx.exe
        "C:\Users\Admin\AppData\Local\Temp\GcYPoQg2gjwx.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:3272

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\GcYPoQg2gjwx.exe
      Filesize

      16.2MB

      MD5

      a2cfaecd80aaa319d36ed1c87fc68dce

      SHA1

      d0478f4274090e27fef08869682f7d181bdfdeba

      SHA256

      cab0c3b7a76fe7356253ed309512908ad769068ad57e61a7ee9ea78586750d81

      SHA512

      3233b9c768b7314eebda5b31dce4d4e0160f58b0b750402fcb848c585a74e2d923992952ce20384dc821b788a5acafa6b8e46030d9bdde9328df480391db2fb2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
      Filesize

      111KB

      MD5

      cfcf85d457ace60923e67ce7f14adadf

      SHA1

      76f9220c256579361542cddde951d6cbb86ca163

      SHA256

      0a2ea2ae3535420da3b3504d3dc9f45067e55c81c3d4e2d483173e05db0fdd3f

      SHA512

      d2554907ea6f236bfefce0c09dcf1a90a171455038b1bc671eeac787938fea1ed7783954550489d6b0375fd9a2a0c794f728c1d81d79fe6600080de4739ab984

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ko21siwa.4ks.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpF1F1.tmp.bat
      Filesize

      188B

      MD5

      c3137d62f6011fef44e6be846eabfee3

      SHA1

      bd61de06947d377301bd0714fa4baa0b0ccc317e

      SHA256

      9fdfe7e8ff8d3f4879960c3e5bc262a5766cafd12d85b6c021046b20defbc863

      SHA512

      ba4623ce7436d420c6bdb4e37994f62a082264ef1468b8c7d5e46e1deb23e04973d70faf9f56d7d2d74be1853a4321a0c26dadce5baf36ea30cadd5af054fd40

      Download Submit

    • memory/2264-279-0x000001B02EA30000-0x000001B02EA4E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2264-278-0x000001B02ECE0000-0x000001B02ED56000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2264-277-0x000001B02EC30000-0x000001B02ECDA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/3272-60-0x0000000140000000-0x0000000142343000-memory.dmp

      Filesize

      35.3MB

      Download

    • memory/3272-19-0x0000000140000000-0x0000000142343000-memory.dmp

      Filesize

      35.3MB

      Download

    • memory/3272-21-0x0000000140000000-0x0000000142343000-memory.dmp

      Filesize

      35.3MB

      Download

    • memory/3272-20-0x0000000140000000-0x0000000142343000-memory.dmp

      Filesize

      35.3MB

      Download

    • memory/3272-18-0x0000000140000000-0x0000000142343000-memory.dmp

      Filesize

      35.3MB

      Download

    • memory/3848-27-0x0000000007950000-0x000000000796C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3848-54-0x0000000008B50000-0x0000000008B6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3848-24-0x0000000006DE0000-0x0000000006E46000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3848-25-0x00000000075C0000-0x0000000007910000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3848-22-0x0000000006BD0000-0x0000000006BF2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3848-28-0x0000000007990000-0x00000000079DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3848-31-0x0000000007D90000-0x0000000007E06000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3848-17-0x0000000006F90000-0x00000000075B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3848-13-0x0000000004130000-0x0000000004166000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3848-52-0x0000000008B80000-0x0000000008BB3000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3848-53-0x0000000073330000-0x000000007337B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3848-23-0x0000000006D70000-0x0000000006DD6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3848-59-0x0000000008BC0000-0x0000000008C65000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3848-61-0x000000007285E000-0x000000007285F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3848-9-0x000000007285E000-0x000000007285F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3848-63-0x0000000009090000-0x0000000009124000-memory.dmp

      Filesize

      592KB

      Download

    • memory/3848-256-0x0000000008FA0000-0x0000000008FBA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3848-261-0x0000000008F90000-0x0000000008F98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3852-12-0x0000015FDB020000-0x0000015FDB030000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3852-6-0x0000015FD9410000-0x0000015FD9432000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3852-5-0x00007FFB83AE3000-0x00007FFB83AE4000-memory.dmp

      Filesize

      4KB

      Download