toxiceye | 0de1f1739dfc278a21c75d17be004aa2ea212896d18e56a4495f7b118cd7d7a1

Analysis

max time kernel
13s
max time network
10s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Data/Modules/porsche1.exe
Size

137KB
MD5

a5c1ee36b5adf088e4938ff2c350291f
SHA1

da217a5def61fc33710ee60659f59937cbcc1fb4
SHA256

9b4cf6cdae00466be75f8da110fd512f58e54dc2b939fb92c44eb2cbdb82b639
SHA512

2e7d647dd29db3ec126ef18e1e24e87e7482264376722754676af2d0c53e2a7bd1bc7d8b6c62526882b6ac0c0f498e247fa2de7d594c922e745966d5b6c2878e
SSDEEP

3072:u3rx7Fa9S+ZUY0QABxTF27jskr+1vTmENGMbZLQ/QWoPCrAZuiG:um9S+ZtABxTgwRGMbFF

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot8144564059:AAGZGbvRRUEPFcw0XVG2BW_EHAzXGMZHSwk/sendMessage?chat_id=5059028006

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral17/memory/2348-1-0x0000000000EF0000-0x0000000000F18000-memory.dmp	disable_win_def
behavioral17/files/0x0005000000019501-8.dat	disable_win_def
behavioral17/memory/2840-10-0x0000000000310000-0x0000000000338000-memory.dmp	disable_win_def

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Deletes itself 1 IoCs

pid	Process
376	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	rat.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2388	tasklist.exe
2704	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2776	timeout.exe
2856	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe
2572	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2840	rat.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2840	rat.exe
2840	rat.exe
2840	rat.exe
2840	rat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	porsche1.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	2704	tasklist.exe
Token: SeDebugPrivilege	2840	rat.exe
Token: SeDebugPrivilege	2840	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2840	rat.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2244	2348	porsche1.exe	33
PID 2348 wrote to memory of 2244	2348	porsche1.exe	33
PID 2348 wrote to memory of 2244	2348	porsche1.exe	33
PID 2348 wrote to memory of 376	2348	porsche1.exe	35
PID 2348 wrote to memory of 376	2348	porsche1.exe	35
PID 2348 wrote to memory of 376	2348	porsche1.exe	35
PID 376 wrote to memory of 2388	376	cmd.exe	37
PID 376 wrote to memory of 2388	376	cmd.exe	37
PID 376 wrote to memory of 2388	376	cmd.exe	37
PID 376 wrote to memory of 2684	376	cmd.exe	38
PID 376 wrote to memory of 2684	376	cmd.exe	38
PID 376 wrote to memory of 2684	376	cmd.exe	38
PID 376 wrote to memory of 2776	376	cmd.exe	39
PID 376 wrote to memory of 2776	376	cmd.exe	39
PID 376 wrote to memory of 2776	376	cmd.exe	39
PID 376 wrote to memory of 2704	376	cmd.exe	40
PID 376 wrote to memory of 2704	376	cmd.exe	40
PID 376 wrote to memory of 2704	376	cmd.exe	40
PID 376 wrote to memory of 2708	376	cmd.exe	41
PID 376 wrote to memory of 2708	376	cmd.exe	41
PID 376 wrote to memory of 2708	376	cmd.exe	41
PID 376 wrote to memory of 2856	376	cmd.exe	42
PID 376 wrote to memory of 2856	376	cmd.exe	42
PID 376 wrote to memory of 2856	376	cmd.exe	42
PID 376 wrote to memory of 2840	376	cmd.exe	43
PID 376 wrote to memory of 2840	376	cmd.exe	43
PID 376 wrote to memory of 2840	376	cmd.exe	43
PID 2840 wrote to memory of 2572	2840	rat.exe	45
PID 2840 wrote to memory of 2572	2840	rat.exe	45
PID 2840 wrote to memory of 2572	2840	rat.exe	45
PID 2840 wrote to memory of 2624	2840	rat.exe	47
PID 2840 wrote to memory of 2624	2840	rat.exe	47
PID 2840 wrote to memory of 2624	2840	rat.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Data\Modules\porsche1.exe
"C:\Users\Admin\AppData\Local\Temp\Data\Modules\porsche1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCEA5.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCEA5.tmp.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:376
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2348"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2684
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2776
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2348"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2708
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2856
- - C:\Users\CyberEye\rat.exe
    "rat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2572
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2840 -s 1720
      4⤵
      PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCEA5.tmp.bat

Filesize
185B

MD5
429bbf022da6014ea40808d8aedcdded

SHA1
8239ea4ef80852535ec0a443c7f783e3479107b1

SHA256
e29af8725b5ecebc7c671725f55709314b1f2063b6e138397a5fb1ef6b6e4d94

SHA512
adfedb8668b69ab6188c530abae71aa8508a58089bb05af169fbfc4a9c5d22aee6f6dc75d9560a5ec11639e2a277505284c3b411910cc1ab12c6ddb93d04a26f

Download Submit
C:\Users\CyberEye\rat.exe

Filesize
137KB

MD5
a5c1ee36b5adf088e4938ff2c350291f

SHA1
da217a5def61fc33710ee60659f59937cbcc1fb4

SHA256
9b4cf6cdae00466be75f8da110fd512f58e54dc2b939fb92c44eb2cbdb82b639

SHA512
2e7d647dd29db3ec126ef18e1e24e87e7482264376722754676af2d0c53e2a7bd1bc7d8b6c62526882b6ac0c0f498e247fa2de7d594c922e745966d5b6c2878e

Download Submit
memory/2348-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x0000000000EF0000-0x0000000000F18000-memory.dmp

Filesize
160KB

Download
memory/2348-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-6-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-10-0x0000000000310000-0x0000000000338000-memory.dmp

Filesize
160KB

Download