toxiceye | 8f6da90ca708d4002e479df3298857f2014cac9678269de715d58b048724256b | Triage

Submit
Reports

Overview

overview

Static

static

1

Primordial

windows11-21h2-x64

Sharing

General

Target

Primordial
Size

278KB
Sample

241023-v59nvathqp
MD5

2a9b4a529201c22df2f07f1a487f779a
SHA1

71f8186cd8c89d6a0547bbaa9abe882b53382eb8
SHA256

8f6da90ca708d4002e479df3298857f2014cac9678269de715d58b048724256b
SHA512

b4798629e8388899fac10ddb04e37e66e8b5964a6d4569e32aa12a2f0a23974ac0647d0568bab06c9611ce32f1bc90f803abbbbbbe0294f513c863613e62a25e
SSDEEP

6144:sFouqpOL/saqkPV9FemLtcsDSsmw/9lvZJT3CqbMrhryf65NRPaCieMjAkvCJv10:MouqpOL/saqkPV9FemLtcsDSsmw/9lvd

Score

10^/10

toxiceye defense_evasion discovery evasion rat themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

Primordial

Resource

win11-20241007-en

toxiceye defense_evasion discovery evasion rat themida trojan

windows11-21h2-x64

30 signatures

1800 seconds

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7461409177:AAHMv-EtRWu0uEGj_eiICpHa8RT1JBvjytE/sendMessage?chat_id=7179640777

Targets

- Target
  
  Primordial
- Size
  
  278KB
- MD5
  
  2a9b4a529201c22df2f07f1a487f779a
- SHA1
  
  71f8186cd8c89d6a0547bbaa9abe882b53382eb8
- SHA256
  
  8f6da90ca708d4002e479df3298857f2014cac9678269de715d58b048724256b
- SHA512
  
  b4798629e8388899fac10ddb04e37e66e8b5964a6d4569e32aa12a2f0a23974ac0647d0568bab06c9611ce32f1bc90f803abbbbbbe0294f513c863613e62a25e
- SSDEEP
  
  6144:sFouqpOL/saqkPV9FemLtcsDSsmw/9lvZJT3CqbMrhryf65NRPaCieMjAkvCJv10:MouqpOL/saqkPV9FemLtcsDSsmw/9lvd
Score

10^/10

toxiceye defense_evasion discovery evasion rat themida trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- ToxicEye
  ToxicEye is a trojan written in C#.
  rat trojan toxiceye
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

toxiceyedefense_evasiondiscoveryevasionratthemidatrojan

© 2018-2024

Terms | Privacy