toxiceye | 0fd3be20b5b0e61fc687de84a79cce38a0c80eebfdf42ae963eedbd63ac6eacc

Analysis

max time kernel
13s
max time network
11s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChekMine.exe
Size

111KB
MD5

d0a8826179377706d50d8511b5270202
SHA1

a164924fdcaaa9a1c58e8ae4365f06b4da3e6ce3
SHA256

0fd3be20b5b0e61fc687de84a79cce38a0c80eebfdf42ae963eedbd63ac6eacc
SHA512

2a0dae6e457e19bec6e9e554f33294417d73f98d35643a04160f1b02f14be45b9004082e7dc076ed9af7b1690ef91cf5bcbb92a8a8a9446d4e690f119192b767
SSDEEP

3072:Bb4MOYUuQaS+T8sv8X31OjqOjNhOYpbxqH8QWnzCrAZuGYW:sYUuQaS+T8sv8X31OXNtbg2

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

https://api.telegram.org/bot1422952298:AAEUK5QmhKaWUtETf1GIcyg7deR8JXsbh2c/sendMessage?chat_id=1189853645

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye
Toxiceye family
toxiceye

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3036	rat.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2860	tasklist.exe
2960	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2664	timeout.exe
2916	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
572	schtasks.exe
2728	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3036	rat.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3036	rat.exe
3036	rat.exe
3036	rat.exe
3036	rat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	788	ChekMine.exe
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeDebugPrivilege	2960	tasklist.exe
Token: SeDebugPrivilege	3036	rat.exe
Token: SeDebugPrivilege	3036	rat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	rat.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 572	788	ChekMine.exe	33
PID 788 wrote to memory of 572	788	ChekMine.exe	33
PID 788 wrote to memory of 572	788	ChekMine.exe	33
PID 788 wrote to memory of 2804	788	ChekMine.exe	35
PID 788 wrote to memory of 2804	788	ChekMine.exe	35
PID 788 wrote to memory of 2804	788	ChekMine.exe	35
PID 2804 wrote to memory of 2860	2804	cmd.exe	37
PID 2804 wrote to memory of 2860	2804	cmd.exe	37
PID 2804 wrote to memory of 2860	2804	cmd.exe	37
PID 2804 wrote to memory of 2896	2804	cmd.exe	38
PID 2804 wrote to memory of 2896	2804	cmd.exe	38
PID 2804 wrote to memory of 2896	2804	cmd.exe	38
PID 2804 wrote to memory of 2664	2804	cmd.exe	39
PID 2804 wrote to memory of 2664	2804	cmd.exe	39
PID 2804 wrote to memory of 2664	2804	cmd.exe	39
PID 2804 wrote to memory of 2960	2804	cmd.exe	40
PID 2804 wrote to memory of 2960	2804	cmd.exe	40
PID 2804 wrote to memory of 2960	2804	cmd.exe	40
PID 2804 wrote to memory of 2836	2804	cmd.exe	41
PID 2804 wrote to memory of 2836	2804	cmd.exe	41
PID 2804 wrote to memory of 2836	2804	cmd.exe	41
PID 2804 wrote to memory of 2916	2804	cmd.exe	42
PID 2804 wrote to memory of 2916	2804	cmd.exe	42
PID 2804 wrote to memory of 2916	2804	cmd.exe	42
PID 2804 wrote to memory of 3036	2804	cmd.exe	43
PID 2804 wrote to memory of 3036	2804	cmd.exe	43
PID 2804 wrote to memory of 3036	2804	cmd.exe	43
PID 3036 wrote to memory of 2728	3036	rat.exe	45
PID 3036 wrote to memory of 2728	3036	rat.exe	45
PID 3036 wrote to memory of 2728	3036	rat.exe	45
PID 3036 wrote to memory of 1276	3036	rat.exe	47
PID 3036 wrote to memory of 1276	3036	rat.exe	47
PID 3036 wrote to memory of 1276	3036	rat.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ChekMine.exe
"C:\Users\Admin\AppData\Local\Temp\ChekMine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD308.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD308.tmp.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 788"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2896
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2664
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 788"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:2836
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2916
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2728
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3036 -s 1712
      4⤵
      PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD308.tmp.bat

Filesize
184B

MD5
778871bcf07d2f77d0002be724d408a6

SHA1
13d25223a5cdbdbe6594e65afa392e41215ba23f

SHA256
0fdd81985ade910c4d6679511860cb5406b047d6bfc255880510f500ad852881

SHA512
08742bedaa6ddd55389f0975f704a26405c967a8adeb38a0017a264c4b2b9a72f05af4d16bf987b118ff6d6431e634334a3295db70316bf401cf2ab84b58a17b

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
d0a8826179377706d50d8511b5270202

SHA1
a164924fdcaaa9a1c58e8ae4365f06b4da3e6ce3

SHA256
0fd3be20b5b0e61fc687de84a79cce38a0c80eebfdf42ae963eedbd63ac6eacc

SHA512
2a0dae6e457e19bec6e9e554f33294417d73f98d35643a04160f1b02f14be45b9004082e7dc076ed9af7b1690ef91cf5bcbb92a8a8a9446d4e690f119192b767

Download Submit
memory/788-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

Filesize
4KB

Download
memory/788-1-0x0000000001250000-0x0000000001272000-memory.dmp

Filesize
136KB

Download
memory/788-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/788-6-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-10-0x00000000008B0000-0x00000000008D2000-memory.dmp

Filesize
136KB

Download