toxiceye | 0de1f1739dfc278a21c75d17be004aa2ea212896d18e56a4495f7b118cd7d7a1

Analysis

max time kernel
20s
max time network
21s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Start Checker.bat
Size

63B
MD5

7cd830db1b8da52c0062cc6f260a9685
SHA1

ed401d18b0095fc94e4809b7d1ff433dd05697f4
SHA256

d3347618ea5777b3d58e2005afbebe1e9d484405919333f41bc0ddb189261758
SHA512

c735b66dc15a37221b65e9350115db78ee55cb3ef11f401bc9f744be2b1283a16937d62ca8344c071febd6ddd4ccf924b001bbb79a5d03519bf49328264ae097

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot8144564059:AAGZGbvRRUEPFcw0XVG2BW_EHAzXGMZHSwk/sendMessage?chat_id=5059028006

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral19/memory/2984-1-0x0000000001220000-0x0000000001248000-memory.dmp	disable_win_def
behavioral19/files/0x0031000000018bbf-12.dat	disable_win_def
behavioral19/memory/2068-14-0x00000000012C0000-0x00000000012E8000-memory.dmp	disable_win_def

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Executes dropped EXE 1 IoCs

pid	Process
2068	rat.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2824	tasklist.exe
2172	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2404	timeout.exe
1692	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2672	schtasks.exe
316	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2068	rat.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2068	rat.exe
2068	rat.exe
2068	rat.exe
2068	rat.exe
2068	rat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	porsche1.exe
Token: SeDebugPrivilege	2824	tasklist.exe
Token: SeDebugPrivilege	2172	tasklist.exe
Token: SeDebugPrivilege	2068	rat.exe
Token: SeDebugPrivilege	2068	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2068	rat.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2876	2448	cmd.exe	31
PID 2448 wrote to memory of 2876	2448	cmd.exe	31
PID 2448 wrote to memory of 2876	2448	cmd.exe	31
PID 2448 wrote to memory of 2984	2448	cmd.exe	33
PID 2448 wrote to memory of 2984	2448	cmd.exe	33
PID 2448 wrote to memory of 2984	2448	cmd.exe	33
PID 2984 wrote to memory of 2672	2984	porsche1.exe	36
PID 2984 wrote to memory of 2672	2984	porsche1.exe	36
PID 2984 wrote to memory of 2672	2984	porsche1.exe	36
PID 2984 wrote to memory of 2752	2984	porsche1.exe	38
PID 2984 wrote to memory of 2752	2984	porsche1.exe	38
PID 2984 wrote to memory of 2752	2984	porsche1.exe	38
PID 2752 wrote to memory of 2824	2752	cmd.exe	40
PID 2752 wrote to memory of 2824	2752	cmd.exe	40
PID 2752 wrote to memory of 2824	2752	cmd.exe	40
PID 2752 wrote to memory of 2620	2752	cmd.exe	41
PID 2752 wrote to memory of 2620	2752	cmd.exe	41
PID 2752 wrote to memory of 2620	2752	cmd.exe	41
PID 2752 wrote to memory of 2404	2752	cmd.exe	42
PID 2752 wrote to memory of 2404	2752	cmd.exe	42
PID 2752 wrote to memory of 2404	2752	cmd.exe	42
PID 2752 wrote to memory of 2172	2752	cmd.exe	43
PID 2752 wrote to memory of 2172	2752	cmd.exe	43
PID 2752 wrote to memory of 2172	2752	cmd.exe	43
PID 2752 wrote to memory of 868	2752	cmd.exe	44
PID 2752 wrote to memory of 868	2752	cmd.exe	44
PID 2752 wrote to memory of 868	2752	cmd.exe	44
PID 2752 wrote to memory of 1692	2752	cmd.exe	45
PID 2752 wrote to memory of 1692	2752	cmd.exe	45
PID 2752 wrote to memory of 1692	2752	cmd.exe	45
PID 2752 wrote to memory of 2068	2752	cmd.exe	46
PID 2752 wrote to memory of 2068	2752	cmd.exe	46
PID 2752 wrote to memory of 2068	2752	cmd.exe	46
PID 2068 wrote to memory of 316	2068	rat.exe	48
PID 2068 wrote to memory of 316	2068	rat.exe	48
PID 2068 wrote to memory of 316	2068	rat.exe	48
PID 2068 wrote to memory of 1980	2068	rat.exe	50
PID 2068 wrote to memory of 1980	2068	rat.exe	50
PID 2068 wrote to memory of 1980	2068	rat.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Start Checker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\Data\Modules\porsche.exe
  Data\Modules\porsche.exe
  2⤵
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\Data\Modules\porsche1.exe
  Data\Modules\porsche1.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2672
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFC3A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFC3A.tmp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2984"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2824
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:2620
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2404
  - - C:\Windows\system32\tasklist.exe
      Tasklist /fi "PID eq 2984"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2172
  - - C:\Windows\system32\find.exe
      find ":"
      4⤵
      PID:868
  - - C:\Windows\system32\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1692
  - - C:\Users\CyberEye\rat.exe
      "rat.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:316
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2068 -s 1740
        5⤵
        
        PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFC3A.tmp.bat

Filesize
185B

MD5
23510fcae885fefc7c048c1458d43464

SHA1
cd807cc3ffb625d6a68053a91bf9e0fd6b8dd189

SHA256
ce80977177f52420b14d8fbb36b76079f88ed8aa17fa4e6b7557890de1b556b5

SHA512
6368c4abd7e7b65a120a1e301de8076ddd99fafd3336e08b661687f15b442dbe86a918a315a268c6e7519c498a0240ed92384aeb868aa8325f3d2f1de667af7b

Download Submit
C:\Users\CyberEye\rat.exe

Filesize
137KB

MD5
a5c1ee36b5adf088e4938ff2c350291f

SHA1
da217a5def61fc33710ee60659f59937cbcc1fb4

SHA256
9b4cf6cdae00466be75f8da110fd512f58e54dc2b939fb92c44eb2cbdb82b639

SHA512
2e7d647dd29db3ec126ef18e1e24e87e7482264376722754676af2d0c53e2a7bd1bc7d8b6c62526882b6ac0c0f498e247fa2de7d594c922e745966d5b6c2878e

Download Submit
memory/2068-14-0x00000000012C0000-0x00000000012E8000-memory.dmp

Filesize
160KB

Download
memory/2876-6-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-4-0x0000000002350000-0x0000000002402000-memory.dmp

Filesize
712KB

Download
memory/2876-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/2876-2-0x0000000000C00000-0x0000000000C2E000-memory.dmp

Filesize
184KB

Download
memory/2876-15-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/2876-16-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2984-5-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2984-3-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2984-10-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2984-1-0x0000000001220000-0x0000000001248000-memory.dmp

Filesize
160KB

Download