Overview

overview

10

Static

static

10

Hotmail Checker.rar

windows7-x64

1

Hotmail Checker.rar

windows10-2004-x64

1

Data/Modul...io.dll

windows7-x64

1

Data/Modul...io.dll

windows10-2004-x64

1

Data/Modul...pi.dll

windows7-x64

1

Data/Modul...pi.dll

windows10-2004-x64

1

Data/Modules/Jint.dll

windows7-x64

1

Data/Modules/Jint.dll

windows10-2004-x64

1

Data/Modul...et.dll

windows7-x64

1

Data/Modul...et.dll

windows10-2004-x64

1

Data/Modul...on.dll

windows7-x64

1

Data/Modul...on.dll

windows10-2004-x64

1

Data/Modul...um.dll

windows7-x64

1

Data/Modul...um.dll

windows10-2004-x64

1

Data/Modul...he.exe

windows7-x64

1

Data/Modul...he.exe

windows10-2004-x64

1

Data/Modul...e1.exe

windows7-x64

10

Data/Modul...e1.exe

windows10-2004-x64

10

Data/Modul...xe.xml

windows7-x64

3

Data/Modul...xe.xml

windows10-2004-x64

1

Data/Modul...e1.pdb

windows7-x64

3

Data/Modul...e1.pdb

windows10-2004-x64

3

Data/Modul...s.json

windows7-x64

3

Data/Modul...s.json

windows10-2004-x64

3

Jint.dll

windows7-x64

1

Jint.dll

windows10-2004-x64

1

Start Checker.bat

windows7-x64

10

Start Checker.bat

windows10-2004-x64

10

settings.json

windows7-x64

3

settings.json

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Hotmail Checker.rar

  • Size

    667KB

  • Sample

    241125-t76vassmhm

  • MD5

    25d5d8e397837f866ee0062beae405c8

  • SHA1

    ed1b40f91ba22c6ee5fb78dc77fc3c3a4dc6738e

  • SHA256

    0de1f1739dfc278a21c75d17be004aa2ea212896d18e56a4495f7b118cd7d7a1

  • SHA512

    00fe4697e5fda99467872ff3d8ae5f45a7dea3e8cbdf5db8c935f8291c777dd095a3fc4a543171bd6c076e304a6fc1285aaedbbd6d8da24bf6badde9dc682881

  • SSDEEP

    12288:8qlOkp1CyGNVql3fY308oLdCCqJEr4EnFROLyKeoc31UJmarmojLw56TmfNoj:1lOkpYyGNElvJAlO4EFRTPoYdAxj1ifE

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot8144564059:AAGZGbvRRUEPFcw0XVG2BW_EHAzXGMZHSwk/sendMessage?chat_id=5059028006

Targets

    • Target

      Hotmail Checker.rar

    • Size

      667KB

    • MD5

      25d5d8e397837f866ee0062beae405c8

    • SHA1

      ed1b40f91ba22c6ee5fb78dc77fc3c3a4dc6738e

    • SHA256

      0de1f1739dfc278a21c75d17be004aa2ea212896d18e56a4495f7b118cd7d7a1

    • SHA512

      00fe4697e5fda99467872ff3d8ae5f45a7dea3e8cbdf5db8c935f8291c777dd095a3fc4a543171bd6c076e304a6fc1285aaedbbd6d8da24bf6badde9dc682881

    • SSDEEP

      12288:8qlOkp1CyGNVql3fY308oLdCCqJEr4EnFROLyKeoc31UJmarmojLw56TmfNoj:1lOkpYyGNElvJAlO4EFRTPoYdAxj1ifE

    Score
    1/10
    behavioral1behavioral2

    • Target

      Data/Modules/AudioSwitcher.AudioApi.CoreAudio.dll

    • Size

      76KB

    • MD5

      1a3571119038a479c298097087635803

    • SHA1

      95daf8034c518a52639fb845aad28bec57fd5cd3

    • SHA256

      f496f74f48f3dbb499474ef0a06894079087871342b3e3bc254c5903e4aebf91

    • SHA512

      d534bc4117a3ed5ce0a14f6658679b75a05453a41522d6307af4e0ab3bbee7049f70671a50db7dc3804fe5f6ccb6a4496f1a316222eab076deb6d39ac93c4c43

    • SSDEEP

      1536:QlhKei7+LjzyJmJtJhendwV61ncQmlp/bV:Qo7+3zcndwIncQM/bV

    Score
    1/10
    behavioral3behavioral4

    • Target

      Data/Modules/AudioSwitcher.AudioApi.dll

    • Size

      40KB

    • MD5

      3f88b41942ec020c9b66f464b3d1c899

    • SHA1

      a846f0855d5250dc4dda9d3c37f6862e93ebc802

    • SHA256

      26ff364fca496ee1093de596645c86731c156d81d026b5d020de46b0df053513

    • SHA512

      dffe0b98033258ba3e58c43bf4e17e280ffb44c0d3c7a5b1c58761acc0ec2e4c30a035bae6df220c5ec07c641d494ccb135bc7b75977021dc2059f2e4e735af0

    • SSDEEP

      384:iFo07NXH3jI8tRM1sGyfPodV/FU92983yggIwFTIVk1yUsUg43prF7RfrEEJvHQb:iG07NDI2ql8PQVtd83p40VoFtsT5h

    Score
    1/10
    behavioral5behavioral6

    • Target

      Data/Modules/Jint.dll

    • Size

      244KB

    • MD5

      734c5ce8f9b104d8ad3c7b494e96f9b9

    • SHA1

      184cd4152b1b65d9531867b06c2e1c215fb872f1

    • SHA256

      ed618668ae9e7c02c7c2b7332dd09079168cca96432a051044683c996337001c

    • SHA512

      1e3ac0649e3b7bf9e97681aa7b1346aa44afe96d8c86fc77a6e002b8cf5b14b1a57f19f669ed0d4ae9a94d3f65d4eefa99dcffcf5d74afc8731f913c9c9f79d6

    • SSDEEP

      3072:hE1DupDOGfyKkpsZa27k5t0f5jjBWV239UDjRFAkqYL36ZmvYYGUaKTUCRaikNrJ:hjyQlGunmvjPa2vRQrXPHNQHsq5+L

    Score
    1/10
    behavioral7behavioral8

    • Target

      Data/Modules/Leaf.xNet.dll

    • Size

      142KB

    • MD5

      2c607159e31c1e091697e74efa5cfebe

    • SHA1

      874d28447e5c1d7583f413db85049bf17de830b5

    • SHA256

      056900c587b7e574ccd154a83fe299bada653347c3862076b0ef6035039c0bec

    • SHA512

      bfe7b463db8f0ef5981b4cdf22d2815ec10a941fb7cdeff4a861626f1fa9a29f913c5e971b257a5d206965e1300328b7530c40692889d9065ab95d63a63fe55c

    • SSDEEP

      3072:iKpUZ/x+t38Q4I2T4EFWX66sU9/dfYJd:vUZ/x+tMnI2T4/XN

    Score
    1/10
    behavioral10behavioral9

    • Target

      Data/Modules/Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      715a1fbee4665e99e859eda667fe8034

    • SHA1

      e13c6e4210043c4976dcdc447ea2b32854f70cc6

    • SHA256

      c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

    • SHA512

      bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

    • SSDEEP

      12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7

    Score
    1/10
    behavioral11behavioral12

    • Target

      Data/Modules/Sodium.dll

    • Size

      59KB

    • MD5

      fa95d735f88e819edc0cef02d3ee4781

    • SHA1

      9e3c03ee4b0efeedf59edaca15ea304d2ec4cec7

    • SHA256

      bf5b02ac516e9b62086649f43a29287c7872bbdb87512e9d5ec1be681c77a94a

    • SHA512

      554cf8906c7e4bc15653685e70e96995bfdf0803fb30ca196d8bc34f9bfb888a7a1de64e8441415155889893ac7769bb643aa87913f5176c80588b1e3a38348b

    • SSDEEP

      1536:CjCH26g5fMVJXJO466QZmtQLrG3HbK7HIN8xmZ/zuXohMU6i3HFkdEpy:CmH26gr466HtQMbK7HIN8xmZ/zuXohML

    Score
    1/10
    behavioral13behavioral14

    • Target

      Data/Modules/porsche.exe

    • Size

      168KB

    • MD5

      ace08d279f65f6ead0421577476928b6

    • SHA1

      d828d8dfbb543eb1db8b0e3f4430b90e50a23fbd

    • SHA256

      bc93e49457acf3990c916a84d51916638332bf1e7d775e6ad9f240ea595a41b5

    • SHA512

      9910dd98b435f51dca61e78c4721c10a355e288f8b466ef3a4cee71cfcd5dbd5c4beef5d0acfba11e67943a341060f0ecf0f44e793ea1df47e23f149be7cf8d1

    • SSDEEP

      768:bugFyke3kC7sdkiPQpgHG7vHCMYTH5gzYYHXiRQY1lZM8U5AaexwJ3zPBQePJREZ:a0yYC7sSpgHGb4HuzmKY1I8lahTb+

    Score
    1/10
    behavioral15behavioral16

    • Target

      Data/Modules/porsche1.exe

    • Size

      137KB

    • MD5

      a5c1ee36b5adf088e4938ff2c350291f

    • SHA1

      da217a5def61fc33710ee60659f59937cbcc1fb4

    • SHA256

      9b4cf6cdae00466be75f8da110fd512f58e54dc2b939fb92c44eb2cbdb82b639

    • SHA512

      2e7d647dd29db3ec126ef18e1e24e87e7482264376722754676af2d0c53e2a7bd1bc7d8b6c62526882b6ac0c0f498e247fa2de7d594c922e745966d5b6c2878e

    • SSDEEP

      3072:u3rx7Fa9S+ZUY0QABxTF27jskr+1vTmENGMbZLQ/QWoPCrAZuiG:um9S+ZtABxTgwRGMbFF

    Score
    10/10
    toxiceyediscoveryrattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • ToxicEye

      ToxicEye is a trojan written in C#.

      rattrojantoxiceye

    • Toxiceye family

      toxiceye

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Enumerates processes with tasklist

      discovery
    behavioral17behavioral18

    • Target

      Data/Modules/porsche1.exe.config

    • Size

      163B

    • MD5

      9a3d99ab612161dfe2116f5939b8bc05

    • SHA1

      a0f4570011c4e5add32b247889eb1036c9f1cfa1

    • SHA256

      97f54f7cda9454d4083f240408cd315a54c99be0d770f3a77baa18b00a410c8a

    • SHA512

      4701a79ae88d0164c87930d35fc3e2ebab016e6bb7ea794f90b67268782b298ab65288b8364afcaadb5c4ce6b22630179426f5a53da60dde81cb6c90a88d8590

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      Data/Modules/porsche1.pdb

    • Size

      287KB

    • MD5

      20075a0c16a2b28d1ab8cbecf4902930

    • SHA1

      8541a7dcd0bfde70d699f2e042285f5249ca81ac

    • SHA256

      b930b3fb15c0b502f0ec8cf8f05f0536191e0d2093ec6983d190125ad1c7325a

    • SHA512

      75310a913e416ec062ed37012a68e77f3d004411de9829ac0f5234ee3b503d62fc5835f55f00693455379a10fcb562c58191b31f2dd953417e485685b0b44660

    • SSDEEP

      1536:rzl2MYPzI0AYTs7q1GfhJdboUBdY//XSTtzPNm3s+/wH1JlrrTU2as+XV:fDYLI0ts7q1whJdboUPY/f6Y3bK1Jeb

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      Data/Modules/settings.json

    • Size

      94B

    • MD5

      d0502e4d0c90dcf9075de4d9280710db

    • SHA1

      c66e9c5f9fd942960a672a37c41ec4cb636f2bc9

    • SHA256

      7428368a5eb6342c5f2625ae7d561913602a4289047e952377816650fd282efc

    • SHA512

      55a13a49a31f805f9c292c1ab19177c668d5b0756604a8be99d90d4fe272695b3fdc53e808cda4615a79762316b786f61e41c70b1c798f843cf638cdbc758513

    Score
    3/10
    discovery
    behavioral23behavioral24

    • Target

      Jint.dll

    • Size

      244KB

    • MD5

      734c5ce8f9b104d8ad3c7b494e96f9b9

    • SHA1

      184cd4152b1b65d9531867b06c2e1c215fb872f1

    • SHA256

      ed618668ae9e7c02c7c2b7332dd09079168cca96432a051044683c996337001c

    • SHA512

      1e3ac0649e3b7bf9e97681aa7b1346aa44afe96d8c86fc77a6e002b8cf5b14b1a57f19f669ed0d4ae9a94d3f65d4eefa99dcffcf5d74afc8731f913c9c9f79d6

    • SSDEEP

      3072:hE1DupDOGfyKkpsZa27k5t0f5jjBWV239UDjRFAkqYL36ZmvYYGUaKTUCRaikNrJ:hjyQlGunmvjPa2vRQrXPHNQHsq5+L

    Score
    1/10
    behavioral25behavioral26

    • Target

      Start Checker.bat

    • Size

      63B

    • MD5

      7cd830db1b8da52c0062cc6f260a9685

    • SHA1

      ed401d18b0095fc94e4809b7d1ff433dd05697f4

    • SHA256

      d3347618ea5777b3d58e2005afbebe1e9d484405919333f41bc0ddb189261758

    • SHA512

      c735b66dc15a37221b65e9350115db78ee55cb3ef11f401bc9f744be2b1283a16937d62ca8344c071febd6ddd4ccf924b001bbb79a5d03519bf49328264ae097

    Score
    10/10
    toxiceyediscoveryrattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • ToxicEye

      ToxicEye is a trojan written in C#.

      rattrojantoxiceye

    • Toxiceye family

      toxiceye

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates processes with tasklist

      discovery
    behavioral27behavioral28

    • Target

      settings.json

    • Size

      94B

    • MD5

      d0502e4d0c90dcf9075de4d9280710db

    • SHA1

      c66e9c5f9fd942960a672a37c41ec4cb636f2bc9

    • SHA256

      7428368a5eb6342c5f2625ae7d561913602a4289047e952377816650fd282efc

    • SHA512

      55a13a49a31f805f9c292c1ab19177c668d5b0756604a8be99d90d4fe272695b3fdc53e808cda4615a79762316b786f61e41c70b1c798f843cf638cdbc758513

    Score
    3/10
    discovery
    behavioral29behavioral30

MITRE ATT&CK Enterprise v15

Tasks

static1

toxiceye
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

toxiceyediscoveryrattrojan
Score
10/10

behavioral18

toxiceyediscoveryrattrojan
Score
10/10

behavioral19

discovery
Score
3/10

behavioral20

Score
1/10

behavioral21

discovery
Score
3/10

behavioral22

Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

Score
3/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

toxiceyediscoveryrattrojan
Score
10/10

behavioral28

toxiceyediscoveryrattrojan
Score
10/10

behavioral29

discovery
Score
3/10

behavioral30

Score
3/10