Overview

overview

10

Static

static

10

Data/Modul...io.dll

windows7-x64

1

Data/Modul...io.dll

windows10-2004-x64

1

Data/Modul...pi.dll

windows7-x64

1

Data/Modul...pi.dll

windows10-2004-x64

1

Data/Modules/Jint.dll

windows7-x64

1

Data/Modules/Jint.dll

windows10-2004-x64

1

Data/Modul...et.dll

windows7-x64

1

Data/Modul...et.dll

windows10-2004-x64

1

Data/Modul...on.dll

windows7-x64

1

Data/Modul...on.dll

windows10-2004-x64

1

Data/Modul...um.dll

windows7-x64

1

Data/Modul...um.dll

windows10-2004-x64

1

Data/Modul...he.exe

windows7-x64

1

Data/Modul...he.exe

windows10-2004-x64

1

Data/Modul...e1.exe

windows7-x64

10

Data/Modul...e1.exe

windows10-2004-x64

10

Jint.dll

windows7-x64

1

Jint.dll

windows10-2004-x64

1

Start Checker.bat

windows7-x64

10

Start Checker.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HotmailChecker.rar

  • Size

    667KB

  • Sample

    241125-varvjsspaj

  • MD5

    25d5d8e397837f866ee0062beae405c8

  • SHA1

    ed1b40f91ba22c6ee5fb78dc77fc3c3a4dc6738e

  • SHA256

    0de1f1739dfc278a21c75d17be004aa2ea212896d18e56a4495f7b118cd7d7a1

  • SHA512

    00fe4697e5fda99467872ff3d8ae5f45a7dea3e8cbdf5db8c935f8291c777dd095a3fc4a543171bd6c076e304a6fc1285aaedbbd6d8da24bf6badde9dc682881

  • SSDEEP

    12288:8qlOkp1CyGNVql3fY308oLdCCqJEr4EnFROLyKeoc31UJmarmojLw56TmfNoj:1lOkpYyGNElvJAlO4EFRTPoYdAxj1ifE

Score
10/10
toxiceyediscoveryratspywarestealertrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot8144564059:AAGZGbvRRUEPFcw0XVG2BW_EHAzXGMZHSwk/sendMessage?chat_id=5059028006

Targets

    • Target

      Data/Modules/AudioSwitcher.AudioApi.CoreAudio.dll

    • Size

      76KB

    • MD5

      1a3571119038a479c298097087635803

    • SHA1

      95daf8034c518a52639fb845aad28bec57fd5cd3

    • SHA256

      f496f74f48f3dbb499474ef0a06894079087871342b3e3bc254c5903e4aebf91

    • SHA512

      d534bc4117a3ed5ce0a14f6658679b75a05453a41522d6307af4e0ab3bbee7049f70671a50db7dc3804fe5f6ccb6a4496f1a316222eab076deb6d39ac93c4c43

    • SSDEEP

      1536:QlhKei7+LjzyJmJtJhendwV61ncQmlp/bV:Qo7+3zcndwIncQM/bV

    Score
    1/10
    behavioral1behavioral2

    • Target

      Data/Modules/AudioSwitcher.AudioApi.dll

    • Size

      40KB

    • MD5

      3f88b41942ec020c9b66f464b3d1c899

    • SHA1

      a846f0855d5250dc4dda9d3c37f6862e93ebc802

    • SHA256

      26ff364fca496ee1093de596645c86731c156d81d026b5d020de46b0df053513

    • SHA512

      dffe0b98033258ba3e58c43bf4e17e280ffb44c0d3c7a5b1c58761acc0ec2e4c30a035bae6df220c5ec07c641d494ccb135bc7b75977021dc2059f2e4e735af0

    • SSDEEP

      384:iFo07NXH3jI8tRM1sGyfPodV/FU92983yggIwFTIVk1yUsUg43prF7RfrEEJvHQb:iG07NDI2ql8PQVtd83p40VoFtsT5h

    Score
    1/10
    behavioral3behavioral4

    • Target

      Data/Modules/Jint.dll

    • Size

      244KB

    • MD5

      734c5ce8f9b104d8ad3c7b494e96f9b9

    • SHA1

      184cd4152b1b65d9531867b06c2e1c215fb872f1

    • SHA256

      ed618668ae9e7c02c7c2b7332dd09079168cca96432a051044683c996337001c

    • SHA512

      1e3ac0649e3b7bf9e97681aa7b1346aa44afe96d8c86fc77a6e002b8cf5b14b1a57f19f669ed0d4ae9a94d3f65d4eefa99dcffcf5d74afc8731f913c9c9f79d6

    • SSDEEP

      3072:hE1DupDOGfyKkpsZa27k5t0f5jjBWV239UDjRFAkqYL36ZmvYYGUaKTUCRaikNrJ:hjyQlGunmvjPa2vRQrXPHNQHsq5+L

    Score
    1/10
    behavioral5behavioral6

    • Target

      Data/Modules/Leaf.xNet.dll

    • Size

      142KB

    • MD5

      2c607159e31c1e091697e74efa5cfebe

    • SHA1

      874d28447e5c1d7583f413db85049bf17de830b5

    • SHA256

      056900c587b7e574ccd154a83fe299bada653347c3862076b0ef6035039c0bec

    • SHA512

      bfe7b463db8f0ef5981b4cdf22d2815ec10a941fb7cdeff4a861626f1fa9a29f913c5e971b257a5d206965e1300328b7530c40692889d9065ab95d63a63fe55c

    • SSDEEP

      3072:iKpUZ/x+t38Q4I2T4EFWX66sU9/dfYJd:vUZ/x+tMnI2T4/XN

    Score
    1/10
    behavioral7behavioral8

    • Target

      Data/Modules/Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      715a1fbee4665e99e859eda667fe8034

    • SHA1

      e13c6e4210043c4976dcdc447ea2b32854f70cc6

    • SHA256

      c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

    • SHA512

      bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

    • SSDEEP

      12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7

    Score
    1/10
    behavioral10behavioral9

    • Target

      Data/Modules/Sodium.dll

    • Size

      59KB

    • MD5

      fa95d735f88e819edc0cef02d3ee4781

    • SHA1

      9e3c03ee4b0efeedf59edaca15ea304d2ec4cec7

    • SHA256

      bf5b02ac516e9b62086649f43a29287c7872bbdb87512e9d5ec1be681c77a94a

    • SHA512

      554cf8906c7e4bc15653685e70e96995bfdf0803fb30ca196d8bc34f9bfb888a7a1de64e8441415155889893ac7769bb643aa87913f5176c80588b1e3a38348b

    • SSDEEP

      1536:CjCH26g5fMVJXJO466QZmtQLrG3HbK7HIN8xmZ/zuXohMU6i3HFkdEpy:CmH26gr466HtQMbK7HIN8xmZ/zuXohML

    Score
    1/10
    behavioral11behavioral12

    • Target

      Data/Modules/porsche.exe

    • Size

      168KB

    • MD5

      ace08d279f65f6ead0421577476928b6

    • SHA1

      d828d8dfbb543eb1db8b0e3f4430b90e50a23fbd

    • SHA256

      bc93e49457acf3990c916a84d51916638332bf1e7d775e6ad9f240ea595a41b5

    • SHA512

      9910dd98b435f51dca61e78c4721c10a355e288f8b466ef3a4cee71cfcd5dbd5c4beef5d0acfba11e67943a341060f0ecf0f44e793ea1df47e23f149be7cf8d1

    • SSDEEP

      768:bugFyke3kC7sdkiPQpgHG7vHCMYTH5gzYYHXiRQY1lZM8U5AaexwJ3zPBQePJREZ:a0yYC7sSpgHGb4HuzmKY1I8lahTb+

    Score
    1/10
    behavioral13behavioral14

    • Target

      Data/Modules/porsche1.exe

    • Size

      137KB

    • MD5

      a5c1ee36b5adf088e4938ff2c350291f

    • SHA1

      da217a5def61fc33710ee60659f59937cbcc1fb4

    • SHA256

      9b4cf6cdae00466be75f8da110fd512f58e54dc2b939fb92c44eb2cbdb82b639

    • SHA512

      2e7d647dd29db3ec126ef18e1e24e87e7482264376722754676af2d0c53e2a7bd1bc7d8b6c62526882b6ac0c0f498e247fa2de7d594c922e745966d5b6c2878e

    • SSDEEP

      3072:u3rx7Fa9S+ZUY0QABxTF27jskr+1vTmENGMbZLQ/QWoPCrAZuiG:um9S+ZtABxTgwRGMbFF

    Score
    10/10
    toxiceyediscoveryrattrojanspywarestealer

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • ToxicEye

      ToxicEye is a trojan written in C#.

      rattrojantoxiceye

    • Toxiceye family

      toxiceye

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

      discovery
    behavioral15behavioral16

    • Target

      Jint.dll

    • Size

      244KB

    • MD5

      734c5ce8f9b104d8ad3c7b494e96f9b9

    • SHA1

      184cd4152b1b65d9531867b06c2e1c215fb872f1

    • SHA256

      ed618668ae9e7c02c7c2b7332dd09079168cca96432a051044683c996337001c

    • SHA512

      1e3ac0649e3b7bf9e97681aa7b1346aa44afe96d8c86fc77a6e002b8cf5b14b1a57f19f669ed0d4ae9a94d3f65d4eefa99dcffcf5d74afc8731f913c9c9f79d6

    • SSDEEP

      3072:hE1DupDOGfyKkpsZa27k5t0f5jjBWV239UDjRFAkqYL36ZmvYYGUaKTUCRaikNrJ:hjyQlGunmvjPa2vRQrXPHNQHsq5+L

    Score
    1/10
    behavioral17behavioral18

    • Target

      Start Checker.bat

    • Size

      63B

    • MD5

      7cd830db1b8da52c0062cc6f260a9685

    • SHA1

      ed401d18b0095fc94e4809b7d1ff433dd05697f4

    • SHA256

      d3347618ea5777b3d58e2005afbebe1e9d484405919333f41bc0ddb189261758

    • SHA512

      c735b66dc15a37221b65e9350115db78ee55cb3ef11f401bc9f744be2b1283a16937d62ca8344c071febd6ddd4ccf924b001bbb79a5d03519bf49328264ae097

    Score
    10/10
    toxiceyediscoveryrattrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • ToxicEye

      ToxicEye is a trojan written in C#.

      rattrojantoxiceye

    • Toxiceye family

      toxiceye

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates processes with tasklist

      discovery
    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks