toxiceye | ea346b60666802c1985522daf4187f41aef151475086125fdad8c0930e0f78d3 | Triage

Sharing

General

Target

start.bat
Size

359B
Sample

250408-1xh4tasmv5
MD5

567faa0407f102c40f1796b392530852
SHA1

0adbdf7d448caae6e96e067d1551b7462d26c4fd
SHA256

ea346b60666802c1985522daf4187f41aef151475086125fdad8c0930e0f78d3
SHA512

0b3ef1798ef70ae67c9a65e1fce3dbb237224b6da6871c0777f3fc4438fbc5725be421c97220674d7a202a99736a206f4658119d8bcc7516699d022648082022

Score

10^/10

toxiceye discovery execution rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/Igor65afk/cxvd-vvcxxcvcxv/raw/refs/heads/main/TelegramRAT.exe

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7582691185:AAHyDd26FPsOpJGflKOytG7VEH8s8wridm0/sendMessage?chat_id=8029727797

Targets

- Target
  
  start.bat
- Size
  
  359B
- MD5
  
  567faa0407f102c40f1796b392530852
- SHA1
  
  0adbdf7d448caae6e96e067d1551b7462d26c4fd
- SHA256
  
  ea346b60666802c1985522daf4187f41aef151475086125fdad8c0930e0f78d3
- SHA512
  
  0b3ef1798ef70ae67c9a65e1fce3dbb237224b6da6871c0777f3fc4438fbc5725be421c97220674d7a202a99736a206f4658119d8bcc7516699d022648082022
Score

10^/10

toxiceye discovery execution rat spyware stealer trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- ToxicEye
  ToxicEye is a trojan written in C#.
  rat trojan toxiceye
- Toxiceye family
  toxiceye
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Enumerates processes with tasklist
  discovery
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

toxiceyediscoveryexecutionratspywarestealertrojan