toxiceye | aff7268f7d07ff44b8e5c331bf9b95db52c66b8490b7f9d8d5c2440b1f161801

Reason

Machine shutdown

General

Target

3UJPL_TelegramRAT.exe
Size

111KB
MD5

43b7c93356db3b366d065d484d12cf0d
SHA1

cbefe3ef152e12104c16cedc1de739086b37494d
SHA256

aff7268f7d07ff44b8e5c331bf9b95db52c66b8490b7f9d8d5c2440b1f161801
SHA512

b63d5a168d10bd0523c14d758127250e0208c3a0f95e4596224e3f5976016129d3203dbdda6b6c4a1f6678cb04fb27bc833c0efd1436b1ae1e7e2dfa203d4563
SSDEEP

1536:C+bAQAsnqLoM91qQIwxHxZxdyyKDWfybhDqI64QWqzCrAZuucvDT:FbKsnwo0RZxjQbxqH4QWqzCrAZuu8T

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	3UJPL_TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

pid	Process
3548	rat.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4616	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3968	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1780	schtasks.exe
2704	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3548	rat.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3548	rat.exe
3548	rat.exe
3548	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	3UJPL_TelegramRAT.exe
Token: SeDebugPrivilege	4616	tasklist.exe
Token: SeDebugPrivilege	3548	rat.exe
Token: SeDebugPrivilege	3548	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3548	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1780	1408	3UJPL_TelegramRAT.exe	87
PID 1408 wrote to memory of 1780	1408	3UJPL_TelegramRAT.exe	87
PID 1408 wrote to memory of 1040	1408	3UJPL_TelegramRAT.exe	89
PID 1408 wrote to memory of 1040	1408	3UJPL_TelegramRAT.exe	89
PID 1040 wrote to memory of 4616	1040	cmd.exe	91
PID 1040 wrote to memory of 4616	1040	cmd.exe	91
PID 1040 wrote to memory of 4600	1040	cmd.exe	92
PID 1040 wrote to memory of 4600	1040	cmd.exe	92
PID 1040 wrote to memory of 3968	1040	cmd.exe	93
PID 1040 wrote to memory of 3968	1040	cmd.exe	93
PID 1040 wrote to memory of 3548	1040	cmd.exe	94
PID 1040 wrote to memory of 3548	1040	cmd.exe	94
PID 3548 wrote to memory of 2704	3548	rat.exe	98
PID 3548 wrote to memory of 2704	3548	rat.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3UJPL_TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\3UJPL_TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7918.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7918.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1408"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4600
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3968
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7918.tmp.bat

Filesize
194B

MD5
29cc4539b864d88bba78584e459ad001

SHA1
72b88f1c378cf18663408ed01ebbdfeca19094b9

SHA256
c412c3941b9e15298d9116a1c779758a920628a43e4feb00b1b29c9cacc35c77

SHA512
c7ba602d765e75c7b524bddfd9f93743c93747856a45b07148a24a736d4fac19f14fb3703c31e311a2bef4256423d154a399e3ea6b25f1ecf5b15e71ba2274f5

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
43b7c93356db3b366d065d484d12cf0d

SHA1
cbefe3ef152e12104c16cedc1de739086b37494d

SHA256
aff7268f7d07ff44b8e5c331bf9b95db52c66b8490b7f9d8d5c2440b1f161801

SHA512
b63d5a168d10bd0523c14d758127250e0208c3a0f95e4596224e3f5976016129d3203dbdda6b6c4a1f6678cb04fb27bc833c0efd1436b1ae1e7e2dfa203d4563

Download Submit
memory/1408-0-0x00007FF91EF03000-0x00007FF91EF05000-memory.dmp

Filesize
8KB

Download
memory/1408-1-0x000001DD81670000-0x000001DD81692000-memory.dmp

Filesize
136KB

Download
memory/1408-2-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download
memory/1408-7-0x00007FF91EF00000-0x00007FF91F9C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads