toxiceye | d00c33e6af3acfbc5653dadda59411bb4bf95a9f7a0fd1305e7cae270250dcb6

Analysis

max time kernel
4s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 16:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

.exe
Size

111KB
MD5

f190eabe265f87543a479e6ae30a75e3
SHA1

540a3361515ef8a07f0448d71ef1f5a9987bf8f0
SHA256

d00c33e6af3acfbc5653dadda59411bb4bf95a9f7a0fd1305e7cae270250dcb6
SHA512

792ea11c4ccdbaba481ad2102d7b95e3da730bba155d10fa20ece922df023d12a94cf65598b2866d85126df6dc8177520488e9c4c685fed14d23b66d3d7af95e
SSDEEP

3072:MbF/tHT+X4rWXFiWkkkQDDKbuq0tQW5zCrAZuu1B:s/tHT+X4UdkkkQDDKbLg

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/sendMessage?chat_id=5569740835

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	.exe

Executes dropped EXE 1 IoCs

pid	Process
3800	yanak.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4828	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3976	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3800	yanak.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3800	yanak.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	.exe
Token: SeDebugPrivilege	4828	tasklist.exe
Token: SeDebugPrivilege	3800	yanak.exe
Token: SeDebugPrivilege	3800	yanak.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3800	yanak.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 1928	3980	.exe	83
PID 3980 wrote to memory of 1928	3980	.exe	83
PID 1928 wrote to memory of 4828	1928	cmd.exe	85
PID 1928 wrote to memory of 4828	1928	cmd.exe	85
PID 1928 wrote to memory of 4712	1928	cmd.exe	86
PID 1928 wrote to memory of 4712	1928	cmd.exe	86
PID 1928 wrote to memory of 3976	1928	cmd.exe	88
PID 1928 wrote to memory of 3976	1928	cmd.exe	88
PID 1928 wrote to memory of 3800	1928	cmd.exe	89
PID 1928 wrote to memory of 3800	1928	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp708C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp708C.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3980"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4712
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3976
- - C:\Users\yanak\yanak.exe
    "yanak.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp708C.tmp.bat

Filesize
176B

MD5
80451a2ad127b48d8ae1a1e2d57feb4e

SHA1
0cf6e4b505d23308300b1b3531690e6e6633f1b0

SHA256
cb9bc1a52e0676e7f803aebd13eed3c818e61ce68de814dc90a8572a4da0717f

SHA512
2ce9810fede4eb3de8cf87c04b44472dfe3b5b587253d88e174603901cc0107029a0dd8ff9d33328c8a82892f9443f38b4568307aee0ced7a533a6b8514eef59

Download Submit
C:\Users\yanak\yanak.exe

Filesize
111KB

MD5
f190eabe265f87543a479e6ae30a75e3

SHA1
540a3361515ef8a07f0448d71ef1f5a9987bf8f0

SHA256
d00c33e6af3acfbc5653dadda59411bb4bf95a9f7a0fd1305e7cae270250dcb6

SHA512
792ea11c4ccdbaba481ad2102d7b95e3da730bba155d10fa20ece922df023d12a94cf65598b2866d85126df6dc8177520488e9c4c685fed14d23b66d3d7af95e

Download Submit
memory/3980-0-0x00007FF92BD93000-0x00007FF92BD95000-memory.dmp

Filesize
8KB

Download
memory/3980-1-0x000002E420890000-0x000002E4208B2000-memory.dmp

Filesize
136KB

Download
memory/3980-2-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download
memory/3980-6-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download