toxiceye | 75f0b10428471619c2cb34bf7abdef10bb192f238ff09e67a8433ddc6c9e6b76

General

Target

75f0b10428471619c2cb34bf7abdef10bb192f238ff09e67a8433ddc6c9e6b76.exe
Size

2.7MB
MD5

e8750312901386f028ec2e7ba93acdd1
SHA1

8dabf23f1b0732eeae8f371005e392afa3787829
SHA256

75f0b10428471619c2cb34bf7abdef10bb192f238ff09e67a8433ddc6c9e6b76
SHA512

6664206165b2605817492a1dad5b47c9996166c3a9873f9a086d64c3ad87213e89567277c9b7760537efc2e67a5c2b5c4412169eb69f5a31d9f675b7088e429c
SSDEEP

49152:KOmkuWsQFMi4mKH3NmB6JqsG/a5lFHSqLbWKkHs1zfgRAZzgCNP+u+vR9hoU7Uvj:TmbW/MVmKHEB6c0lFHTbWLmbgRWUCh+M

Score

10^/10

toxiceye defense_evasion discovery rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7203802626:AAE_9_dltxewBu7ddFljX_qb4SON6Zl9EzQ/sendMessage?chat_id=688494782

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2852	tasklist.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2728	2888	WerFault.exe	41

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2884	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1052	schtasks.exe
1272	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\75f0b10428471619c2cb34bf7abdef10bb192f238ff09e67a8433ddc6c9e6b76.exe
"C:\Users\Admin\AppData\Local\Temp\75f0b10428471619c2cb34bf7abdef10bb192f238ff09e67a8433ddc6c9e6b76.exe"
1⤵
PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAegBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAbQBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAeABnACMAPgA="
  2⤵
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\TelegramRATENIGMA.exe
  "C:\Users\Admin\AppData\Local\Temp\TelegramRATENIGMA.exe"
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp56A9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp56A9.tmp.bat
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\tasklist.exe
      Tasklist /fi "PID eq 2772"
      4⤵
      Enumerates processes with tasklist
      PID:2852
  - - C:\Windows\SysWOW64\find.exe
      find ":"
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\timeout.exe
      Timeout /T 1 /Nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2884
  - - C:\Users\ToxicEye\rat.exe
      "rat.exe"
      4⤵
      PID:2888
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1272
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1936
        5⤵
        Program crash
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TelegramRATENIGMA.exe

Filesize
2.4MB

MD5
72355c8c61439593d4d5974df51801ff

SHA1
05b97fa2140225bffcd896cbb808344bf2cb57b4

SHA256
7728c7e4698fcbe0e77c033e956de69b727b2295d3c0cd95a37e2ae150d16dd0

SHA512
36274fe0c7a3933dcef852277a5fb69c7c0ee6a2c4086b19f550a8ef6976755f29c5becb12975db555ebd5e994a5e02b02b61b87e515c2afe55a58acb656d3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56A9.tmp.bat

Filesize
194B

MD5
1a886dfcfc96564bcca06e425097750d

SHA1
bfa3985c9c0ff72fcc2e91cbee08987540dd7874

SHA256
9649962b88462d581d75a4d1914bc6367d83929b4c6990557746e6ae517ad155

SHA512
dc195209e7640436b7e3184387102307ddfddcde58cb83fb05cf43feeb6a507c41cbf0f3bef0bac5cf988e5e0b83539bbf212e8be60d309c4bc55ab3d0611b2d

Download Submit
\Users\ToxicEye\rat.exe

Filesize
2.1MB

MD5
b141d88d32132348106474d33e9b9c4a

SHA1
14082a44b8646c8a0e271c6552973f0651ed8090

SHA256
0c07ccc19bdbe362becb5e13dcd791483399a0845594223bb1b1a41986b44f82

SHA512
91d0f9dced2bd2b144cea2688ae4301238fb70e92c4ad80295b5e0593ae66d41452ff632f5de3f7228ea3b9155c05a0dd4df9d522629fe40195115ba1fd2b156

Download Submit
memory/800-18-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/800-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/800-17-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/800-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/800-1-0x00000000010F0000-0x00000000013A8000-memory.dmp

Filesize
2.7MB

Download
memory/1480-37-0x0000000002360000-0x0000000002D32000-memory.dmp

Filesize
9.8MB

Download
memory/2076-15-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2076-14-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2772-20-0x0000000001360000-0x0000000001D32000-memory.dmp

Filesize
9.8MB

Download
memory/2772-25-0x0000000001360000-0x0000000001D32000-memory.dmp

Filesize
9.8MB

Download
memory/2772-19-0x0000000001360000-0x0000000001D32000-memory.dmp

Filesize
9.8MB

Download
memory/2772-13-0x0000000001360000-0x0000000001D32000-memory.dmp

Filesize
9.8MB

Download
memory/2888-29-0x00000000011D0000-0x0000000001BA2000-memory.dmp

Filesize
9.8MB

Download
memory/2888-31-0x00000000011D0000-0x0000000001BA2000-memory.dmp

Filesize
9.8MB

Download
memory/2888-30-0x00000000011D0000-0x0000000001BA2000-memory.dmp

Filesize
9.8MB

Download
memory/2888-39-0x00000000011D0000-0x0000000001BA2000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads