toxiceye | aff7268f7d07ff44b8e5c331bf9b95db52c66b8490b7f9d8d5c2440b1f161801

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/01/2025, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TelegramRAT.exe
Size

111KB
MD5

43b7c93356db3b366d065d484d12cf0d
SHA1

cbefe3ef152e12104c16cedc1de739086b37494d
SHA256

aff7268f7d07ff44b8e5c331bf9b95db52c66b8490b7f9d8d5c2440b1f161801
SHA512

b63d5a168d10bd0523c14d758127250e0208c3a0f95e4596224e3f5976016129d3203dbdda6b6c4a1f6678cb04fb27bc833c0efd1436b1ae1e7e2dfa203d4563
SSDEEP

1536:C+bAQAsnqLoM91qQIwxHxZxdyyKDWfybhDqI64QWqzCrAZuucvDT:FbKsnwo0RZxjQbxqH4QWqzCrAZuu8T

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2804	rat.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3036	tasklist.exe
2828	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3028	timeout.exe
2972	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2520	schtasks.exe
436	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2804	rat.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2804	rat.exe
2804	rat.exe
2804	rat.exe
2804	rat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	TelegramRAT.exe
Token: SeDebugPrivilege	3036	tasklist.exe
Token: SeDebugPrivilege	2828	tasklist.exe
Token: SeDebugPrivilege	2804	rat.exe
Token: SeDebugPrivilege	2804	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	rat.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2520	2608	TelegramRAT.exe	31
PID 2608 wrote to memory of 2520	2608	TelegramRAT.exe	31
PID 2608 wrote to memory of 2520	2608	TelegramRAT.exe	31
PID 2608 wrote to memory of 2864	2608	TelegramRAT.exe	33
PID 2608 wrote to memory of 2864	2608	TelegramRAT.exe	33
PID 2608 wrote to memory of 2864	2608	TelegramRAT.exe	33
PID 2864 wrote to memory of 3036	2864	cmd.exe	35
PID 2864 wrote to memory of 3036	2864	cmd.exe	35
PID 2864 wrote to memory of 3036	2864	cmd.exe	35
PID 2864 wrote to memory of 2820	2864	cmd.exe	36
PID 2864 wrote to memory of 2820	2864	cmd.exe	36
PID 2864 wrote to memory of 2820	2864	cmd.exe	36
PID 2864 wrote to memory of 3028	2864	cmd.exe	37
PID 2864 wrote to memory of 3028	2864	cmd.exe	37
PID 2864 wrote to memory of 3028	2864	cmd.exe	37
PID 2864 wrote to memory of 2828	2864	cmd.exe	38
PID 2864 wrote to memory of 2828	2864	cmd.exe	38
PID 2864 wrote to memory of 2828	2864	cmd.exe	38
PID 2864 wrote to memory of 2768	2864	cmd.exe	39
PID 2864 wrote to memory of 2768	2864	cmd.exe	39
PID 2864 wrote to memory of 2768	2864	cmd.exe	39
PID 2864 wrote to memory of 2972	2864	cmd.exe	40
PID 2864 wrote to memory of 2972	2864	cmd.exe	40
PID 2864 wrote to memory of 2972	2864	cmd.exe	40
PID 2864 wrote to memory of 2804	2864	cmd.exe	41
PID 2864 wrote to memory of 2804	2864	cmd.exe	41
PID 2864 wrote to memory of 2804	2864	cmd.exe	41
PID 2804 wrote to memory of 436	2804	rat.exe	43
PID 2804 wrote to memory of 436	2804	rat.exe	43
PID 2804 wrote to memory of 436	2804	rat.exe	43
PID 2804 wrote to memory of 1496	2804	rat.exe	45
PID 2804 wrote to memory of 1496	2804	rat.exe	45
PID 2804 wrote to memory of 1496	2804	rat.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8594.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8594.tmp.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2608"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2820
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3028
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 2608"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2768
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2972
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:436
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2804 -s 1728
      4⤵
      PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8594.tmp.bat

Filesize
188B

MD5
6f8571114fc9ce786c47e2b8b152b3b2

SHA1
8b6cbbfaec6a9fe120149f75e34c34d76ec6fa10

SHA256
06fb49a9ada26f61a9716e91b12adfebc8f157b62d878ffd81508aa5c1c271e5

SHA512
cb9f3b23401b7ef62535f80f9bb029be4e1bf71e92e7f20b4cef1163ca6292674dde8fc2a48f50b42bf7870eaf2626b347c467029c72baa2fa4f3190a47f8d9f

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
43b7c93356db3b366d065d484d12cf0d

SHA1
cbefe3ef152e12104c16cedc1de739086b37494d

SHA256
aff7268f7d07ff44b8e5c331bf9b95db52c66b8490b7f9d8d5c2440b1f161801

SHA512
b63d5a168d10bd0523c14d758127250e0208c3a0f95e4596224e3f5976016129d3203dbdda6b6c4a1f6678cb04fb27bc833c0efd1436b1ae1e7e2dfa203d4563

Download Submit
memory/2608-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

Filesize
4KB

Download
memory/2608-1-0x0000000000270000-0x0000000000292000-memory.dmp

Filesize
136KB

Download
memory/2608-2-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-6-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-10-0x0000000000320000-0x0000000000342000-memory.dmp

Filesize
136KB

Download