toxiceye | c8bd833b7cad2cb59d6f1334acb3c887185e1b23c2d39002094a288fb22194dc

General

Target

TelegramRAT.exe
Size

136KB
MD5

d87112c508292deb2c6bb973990110b0
SHA1

7eefccf695fda5f1ee6fa44abc8a089245ca7c75
SHA256

c673ee9500c45d1f0c1425f294ea893256de066ba231d764fdc391b5053d2611
SHA512

4fd4a81948c8f93df61c7c84dcd0f894726c7b116ec912855514cccb14655bda44349bce6273b31ad2d553b79f5f421c9cd3ef3a79136f55f83edff4b5e3a9f7
SSDEEP

3072:93rPVBOw9fEUUixpkLADFN672mIxmcobZnQ8QWkPCrAZukh:9LjOw9fHxpkiFvObdU

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7095149991:AAGgD9iFbmtMK0VZiA3cT64Kd_IBHL-HTeQ/sendMessage?chat_id=7362979925

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral8/memory/1808-1-0x000001DA86310000-0x000001DA86338000-memory.dmp	disable_win_def
behavioral8/files/0x0011000000023af6-9.dat	disable_win_def

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	TelegramRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

pid	Process
3604	rat.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3896	tasklist.exe
4036	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3260	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5024	schtasks.exe
4164	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3604	rat.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3604	rat.exe
3604	rat.exe
3604	rat.exe
3604	rat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	TelegramRAT.exe
Token: SeDebugPrivilege	3896	tasklist.exe
Token: SeDebugPrivilege	3604	rat.exe
Token: SeDebugPrivilege	3604	rat.exe
Token: SeDebugPrivilege	4036	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3604	rat.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 5024	1808	TelegramRAT.exe	91
PID 1808 wrote to memory of 5024	1808	TelegramRAT.exe	91
PID 1808 wrote to memory of 2344	1808	TelegramRAT.exe	93
PID 1808 wrote to memory of 2344	1808	TelegramRAT.exe	93
PID 2344 wrote to memory of 3896	2344	cmd.exe	95
PID 2344 wrote to memory of 3896	2344	cmd.exe	95
PID 2344 wrote to memory of 3272	2344	cmd.exe	96
PID 2344 wrote to memory of 3272	2344	cmd.exe	96
PID 2344 wrote to memory of 3260	2344	cmd.exe	97
PID 2344 wrote to memory of 3260	2344	cmd.exe	97
PID 2344 wrote to memory of 3604	2344	cmd.exe	98
PID 2344 wrote to memory of 3604	2344	cmd.exe	98
PID 3604 wrote to memory of 4164	3604	rat.exe	100
PID 3604 wrote to memory of 4164	3604	rat.exe	100
PID 3604 wrote to memory of 5112	3604	rat.exe	102
PID 3604 wrote to memory of 5112	3604	rat.exe	102
PID 3604 wrote to memory of 680	3604	rat.exe	104
PID 3604 wrote to memory of 680	3604	rat.exe	104
PID 680 wrote to memory of 4036	680	cmd.exe	106
PID 680 wrote to memory of 4036	680	cmd.exe	106
PID 680 wrote to memory of 4528	680	cmd.exe	107
PID 680 wrote to memory of 4528	680	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 1808"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:3272
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3260
- - C:\Users\CyberEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4164
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "Chrome Update"
      4⤵
      PID:5112
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA7C9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA7C9.tmp.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3604"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4036
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8F6F.tmp.bat

Filesize
188B

MD5
f5bca2a5854610389470c4104a0a34ae

SHA1
b6acf482b708b0d3947440e9a69825e821f765ed

SHA256
38c320afa22d4c988104d34599daa007938ed3680e0b03a63448a5740683c1e5

SHA512
9d3d043261fd1cbdb90a932054f9e0edd17645992e1eae9569ff0ffd63c2a7479638a1983ec4ad8c59bfe988ae81ea87b9a6c6dadda89957e1fc33ab229b531c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7C9.tmp.bat

Filesize
131B

MD5
dce154a7812b3fdb22e2e68f91afec28

SHA1
727b6c17ffd67db201f532ba50f0abcac1907023

SHA256
e1d10c8e3db0e9245f6a905d288bdffa199b25f275071f16a46d19543d671360

SHA512
c6be09aa3e0c6971c1bf5386ba95176cdfb190b842f98a9c86ccfc4986ca0578dd2484a5390533142977b939d01d67baa6a7ecbc5dd53a8a7d43174c6843950c

Download Submit
C:\Users\CyberEye\rat.exe

Filesize
136KB

MD5
d87112c508292deb2c6bb973990110b0

SHA1
7eefccf695fda5f1ee6fa44abc8a089245ca7c75

SHA256
c673ee9500c45d1f0c1425f294ea893256de066ba231d764fdc391b5053d2611

SHA512
4fd4a81948c8f93df61c7c84dcd0f894726c7b116ec912855514cccb14655bda44349bce6273b31ad2d553b79f5f421c9cd3ef3a79136f55f83edff4b5e3a9f7

Download Submit
memory/1808-0-0x00007FFD02073000-0x00007FFD02075000-memory.dmp

Filesize
8KB

Download
memory/1808-1-0x000001DA86310000-0x000001DA86338000-memory.dmp

Filesize
160KB

Download
memory/1808-2-0x00007FFD02070000-0x00007FFD02B31000-memory.dmp

Filesize
10.8MB

Download
memory/1808-6-0x00007FFD02070000-0x00007FFD02B31000-memory.dmp

Filesize
10.8MB

Download
memory/3604-11-0x000001EB76210000-0x000001EB76286000-memory.dmp

Filesize
472KB

Download
memory/3604-12-0x000001EB76340000-0x000001EB763EA000-memory.dmp

Filesize
680KB

Download
memory/3604-15-0x000001EB75D90000-0x000001EB75F39000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads