toxiceye | d00c33e6af3acfbc5653dadda59411bb4bf95a9f7a0fd1305e7cae270250dcb6

General

Target

.exe
Size

111KB
MD5

f190eabe265f87543a479e6ae30a75e3
SHA1

540a3361515ef8a07f0448d71ef1f5a9987bf8f0
SHA256

d00c33e6af3acfbc5653dadda59411bb4bf95a9f7a0fd1305e7cae270250dcb6
SHA512

792ea11c4ccdbaba481ad2102d7b95e3da730bba155d10fa20ece922df023d12a94cf65598b2866d85126df6dc8177520488e9c4c685fed14d23b66d3d7af95e
SSDEEP

3072:MbF/tHT+X4rWXFiWkkkQDDKbuq0tQW5zCrAZuu1B:s/tHT+X4UdkkkQDDKbLg

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7584205709:AAHSbORjgixKBL3e_gW4a2nQGHA1HBwJVqY/sendMessage?chat_id=5569740835

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Deletes itself 1 IoCs

pid	Process
2472	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	yanak.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2496	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1888	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2796	yanak.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2796	yanak.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	.exe
Token: SeDebugPrivilege	2496	tasklist.exe
Token: SeDebugPrivilege	2796	yanak.exe
Token: SeDebugPrivilege	2796	yanak.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2796	yanak.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2472	3044	.exe	31
PID 3044 wrote to memory of 2472	3044	.exe	31
PID 3044 wrote to memory of 2472	3044	.exe	31
PID 2472 wrote to memory of 2496	2472	cmd.exe	33
PID 2472 wrote to memory of 2496	2472	cmd.exe	33
PID 2472 wrote to memory of 2496	2472	cmd.exe	33
PID 2472 wrote to memory of 1856	2472	cmd.exe	34
PID 2472 wrote to memory of 1856	2472	cmd.exe	34
PID 2472 wrote to memory of 1856	2472	cmd.exe	34
PID 2472 wrote to memory of 1888	2472	cmd.exe	36
PID 2472 wrote to memory of 1888	2472	cmd.exe	36
PID 2472 wrote to memory of 1888	2472	cmd.exe	36
PID 2472 wrote to memory of 2796	2472	cmd.exe	37
PID 2472 wrote to memory of 2796	2472	cmd.exe	37
PID 2472 wrote to memory of 2796	2472	cmd.exe	37
PID 2796 wrote to memory of 2784	2796	yanak.exe	40
PID 2796 wrote to memory of 2784	2796	yanak.exe	40
PID 2796 wrote to memory of 2784	2796	yanak.exe	40

C:\Users\Admin\AppData\Local\Temp\.exe
"C:\Users\Admin\AppData\Local\Temp\.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBC1E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBC1E.tmp.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3044"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1856
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1888
- - C:\Users\yanak\yanak.exe
    "yanak.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2796 -s 1300
      4⤵
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBC1E.tmp.bat

Filesize
176B

MD5
bfed7739a5507d33b96e02651eb09537

SHA1
a7c17ef6c3a18d417d2187289fce19681b6c530f

SHA256
6c699676d4cbf1a7391f4360e87d3e85b6cd44d398bdb423299ec748ffbf3831

SHA512
b5aea39605b6970ff3678e2f46cf3a65accbec508f06984f4784a6435251f2fe3465dca5a42e39a436b63e5ac4cc17b49bc9842a41a256cac68202e1214477ac

Download Submit
C:\Users\yanak\yanak.exe

Filesize
111KB

MD5
f190eabe265f87543a479e6ae30a75e3

SHA1
540a3361515ef8a07f0448d71ef1f5a9987bf8f0

SHA256
d00c33e6af3acfbc5653dadda59411bb4bf95a9f7a0fd1305e7cae270250dcb6

SHA512
792ea11c4ccdbaba481ad2102d7b95e3da730bba155d10fa20ece922df023d12a94cf65598b2866d85126df6dc8177520488e9c4c685fed14d23b66d3d7af95e

Download Submit
memory/2796-10-0x0000000000A50000-0x0000000000A72000-memory.dmp

Filesize
136KB

Download
memory/3044-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x0000000000EA0000-0x0000000000EC2000-memory.dmp

Filesize
136KB

Download
memory/3044-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3044-6-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing