{ "id": "321bfcd9-5189-4134-9a26-1f423e931ca0", "created_at": "2026-04-06T00:09:32.027554Z", "updated_at": "2026-04-10T03:21:18.387401Z", "deleted_at": null, "sha1_hash": "90162a161c12b667be2d8ebfac1dc584e28d100a", "title": "malware-cfg/ToxicEyeRAT at main · albertzsigovits/malware-cfg", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 59425, "plain_text": "malware-cfg/ToxicEyeRAT at main · albertzsigovits/malware-cfg\r\nBy albertzsigovits\r\nArchived: 2026-04-05 22:58:03 UTC\r\nToxicEyeRAT malware configuration extraction\r\nScript\r\n# Potential improvements\r\n# Instead of hardcoded anchor-strings, use entrypoint +offsets for finding config\r\nimport os\r\nimport sys\r\nimport re\r\nimport pefile\r\nfrom pathlib import Path\r\ndef is_pe_file(file_path):\r\n try:\r\n pefile.PE(file_path)\r\n return True\r\n except:\r\n return False\r\ndef extract_wide_strings(file_path, min_length=4):\r\n with open(file_path, 'rb') as f:\r\n data = f.read()\r\n strings = []\r\n current_string = ''\r\n i = 0\r\n while i \u003c len(data) - 1:\r\n if data[i+1] == 0 and 32 \u003c= data[i] \u003c= 126:\r\n current_string += chr(data[i])\r\n i += 2\r\n else:\r\n if len(current_string) \u003e= min_length:\r\n strings.append(current_string)\r\n current_string = ''\r\n i += 1\r\n \r\n if len(current_string) \u003e= min_length:\r\nhttps://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\r\nPage 1 of 8\n\nstrings.append(current_string)\r\n #print(strings)\r\n return strings\r\ndef find_config(strings):\r\n cfg_info = {}\r\n for i, s in enumerate(strings):\r\n if \".json\" in s:\r\n cfg_info['Bitcoin'] = strings[i + 1]\r\n cfg_info['Etherium'] = strings[i + 2]\r\n cfg_info['Monero'] = strings[i + 3]\r\n if \"JSON Parse: Quotation marks seems to be messed up.\" in s:\r\n cfg_info['InstallPath'] = strings[i + 1]\r\n cfg_info['AutorunName'] = strings[i + 2]\r\n if \"Number is greater than connected displays.\" in s:\r\n cfg_info['BotID'] = strings[i + 1]\r\n cfg_info['ChatID'] = strings[i + 2]\r\n return cfg_info\r\ndef process_folder(folder_path):\r\n for root, _, files in os.walk(folder_path):\r\n for file in files:\r\n file_path = Path(root) / file\r\n if is_pe_file(file_path):\r\n print(f\"PE file found: {file_path}\")\r\n strings = extract_wide_strings(file_path)\r\n config = find_config(strings)\r\n if config:\r\n for key, value in config.items():\r\n print(f\" {key.capitalize()}: {value}\")\r\n else:\r\n print(\"No CFG Information found\")\r\nif __name__ == \"__main__\":\r\n if len(sys.argv) != 2:\r\n print(\"Usage: python script.py \")\r\n sys.exit(1)\r\n \r\n folder_path = sys.argv[1]\r\n if not os.path.isdir(folder_path):\r\n print(f\"Error: {folder_path} is not a valid directory\")\r\n sys.exit(1)\r\n \r\n process_folder(folder_path)\r\nOutput\r\nhttps://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\r\nPage 2 of 8\n\nPE file found: samples/2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4\r\n Installpath: C:\\Users\\ToxicEye\\rat.exe\r\n Autorunname: Chrome Update\r\n Bitcoin: 1DJ5VetDBuQnmDZjRHRgEiCwYwvc6PSwu8\r\n Etherium: 0x357C0541F19a7755AFbF1CCD824EE06059404238\r\n Monero: 42Pwy6Xe4mPTz3mLap7AB5Jjd9NBt1MWjiqyvEFx3Fn8Fo9cRw9aJUHE1iTXEpUbQacMNiSxYejBKFE7UdGnyEncEEC\r\n Botid: 5981399083:AAEHnXdvbepNaf6NW5inPfw0j_A5k_d0F-o\r\n Chatid: 5564760978\r\nPE file found: samples/4ea7e73f2854efa48c46ec1d99b647c0bbd274b32d183beaec0d5e8774e5005f\r\n Installpath: C:\\Users\\autoupdate\\update.exe\r\n Autorunname: Chrome Update\r\n Bitcoin: bc1qgsw0j06uy72euer9calppr4mtlu9826ugkzyel\r\n Etherium: 0xCB3Fe4B92f74A16592576bE186B8b39C10a0811F\r\n Monero: GBYAVJXEOMMUEF3G6F7XJOBD5LYWO47R7Z7FV6RHPKXGOGH7IHKJD2EE\r\n Botid: 5498387673:AAF0PqxFYWRu0ioPVaK-ZP5umyKlFVXVajM\r\n Chatid: 637293597\r\nPE file found: samples/294e5efb8db8a8e1112e2890a6ea945e7920e3d4f83c4c81c9ace8cec6306020\r\n Installpath: C:\\Windows\\System32\\Sub302\\svchost.exe\r\n Autorunname: Java Update\r\n Bitcoin: 1DJ5VetDBuQnmDZjRHRgEiCwYwvc6PSwu8\r\n Etherium: 0x357C0541F19a7755AFbF1CCD824EE06059404238\r\n Monero: 42Pwy6Xe4mPTz3mLap7AB5Jjd9NBt1MWjiqyvEFx3Fn8Fo9cRw9aJUHE1iTXEpUbQacMNiSxYejBKFE7UdGnyEncEEC\r\n Botid: 5245693641:AAF7eZrRjdXCkx-zaq0R9OGO7Zy2XnOizLQ\r\n Chatid: 874740096\r\nPE file found: samples/c08017c476f4aae9085ed1dfe00c72ca260cddc276ef391716e62afc53e97663\r\n Installpath: C:\\Users\\ToxicEye\\rat.exe\r\n Autorunname: Chrome Update\r\n Bitcoin: 1DJ5VetDBuQnmDZjRHRgEiCwYwvc6PSwu8\r\n Etherium: 0x357C0541F19a7755AFbF1CCD824EE06059404238\r\n Monero: 42Pwy6Xe4mPTz3mLap7AB5Jjd9NBt1MWjiqyvEFx3Fn8Fo9cRw9aJUHE1iTXEpUbQacMNiSxYejBKFE7UdGnyEncEEC\r\n Botid: 1827852599:AAFwI-lniXiikR620kaPKw-aBcjPkkUlrLY\r\n Chatid: 1853695902\r\nPE file found: samples/728c4e3a68f1f55cbafffc315ace09d2dc21857964cc60389f1382fabecec70a\r\n Installpath: C:\\Users\\BIBIL\\Desktop\\TelegramRAT\\TelegramRAT\\bin\\Release\\rat.exe\r\n Autorunname: Chrome Update\r\n Bitcoin: 1DJ5VetDBuQnmDZjRHRgEiCwYwvc6PSwu8\r\n Etherium: 0x357C0541F19a7755AFbF1CCD824EE06059404238\r\n Monero: 42Pwy6Xe4mPTz3mLap7AB5Jjd9NBt1MWjiqyvEFx3Fn8Fo9cRw9aJUHE1iTXEpUbQacMNiSxYejBKFE7UdGnyEncEEC\r\n Botid: 1783902025:AAHm9dm4RX-LOHSfENpqgBpDfscY7wMp7cs\r\n Chatid: 1114717555\r\nYARA (IL)\r\nrule RAT_ToxicEye_IL : malware rat toxiceye {\r\n meta:\r\nhttps://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\r\nPage 3 of 8\n\nauthor = \"albertzsigovits\"\r\n sha256 = \"2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4\"\r\n reference = \"https://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\"\r\n reference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye\"\r\n reference = \"https://bazaar.abuse.ch/browse/signature/toxiceye/\"\r\n strings:\r\n $ = {\r\n 80 ?? 00 00 04 // stsfld bool TelegramRAT.config::ClipperEnabled\r\n 72 [4] // ldstr a1dj5vetdbuqnmd // \"1DJ5VetDBuQnmDZjRHRgEiCwYwv\r\n 80 ?? 00 00 04 // stsfld string TelegramRAT.config::bitcoin_address\r\n 72 [4] // ldstr a0x357c0541f19a // \"0x357C0541F19a7755AFbF1CCD8\r\n 80 ?? 00 00 04 // stsfld string TelegramRAT.config::etherium_address\r\n 72 [4] // ldstr a42pwy6xe4mptz3 // \"42Pwy6Xe4mPTz3mLap7AB5Jjd9N\r\n 80 ?? 00 00 04 // stsfld string TelegramRAT.config::monero_address\r\n 2? // ret\r\n }\r\n \r\n $ = {\r\n 80 ?? 00 00 04 // stsfld string[] TelegramRAT.config::EncryptionFileType\r\n 20 [4] // ldc.i4 0x600000\r\n ?? // conv.i8\r\n 80 ?? 00 00 04 // stsfld int64 TelegramRAT.config::GrabFileSize\r\n 1F ?? // ldc.i4.s 0x15\r\n 8D [4] // newarr [mscorlib]System.String\r\n 2? // dup\r\n }\r\n \r\n $ = {\r\n 80 ?? 00 00 04 // stsfld bool TelegramRAT.config::MeltFileAfterStart\r\n 72 [4] // ldstr aCUsersToxiceye // \"C:\\\\Users\\\\ToxicEye\\\\rat.ex\r\n 80 ?? 00 00 04 // stsfld string TelegramRAT.config::InstallPath\r\n 1? // ldc.i4.1\r\n 80 ?? 00 00 04 // stsfld bool TelegramRAT.config::AutorunEnabled\r\n 72 [4] // ldstr aChromeUpdate // \"Chrome Update\"\r\n 80 ?? 00 00 04 // stsfld string TelegramRAT.config::AutorunName\r\n 1? // ldc.i4.1\r\n 80 ?? 00 00 04 // stsfld bool TelegramRAT.config::ProcessBSODProtectionE\r\n 1? // ldc.i4.1\r\n 80 ?? 00 00 04 // stsfld bool TelegramRAT.config::HideConsoleWindow\r\n 1? // ldc.i4.1\r\n 80 ?? 00 00 04 // stsfld bool TelegramRAT.config::PreventStartOnVirtualM\r\n 1? // ldc.i4.0\r\n 80 ?? 00 00 04 // stsfld int32 TelegramRAT.config::StartDelay\r\n 1? // ldc.i4.1\r\n 80 ?? 00 00 04 // stsfld bool TelegramRAT.config::BlockNetworkActivityWh\r\n 1F ?? // ldc.i4.s 9\r\nhttps://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\r\nPage 4 of 8\n\n8D [4] // newarr [mscorlib]System.String\r\n 2? // dup\r\n }\r\n condition:\r\n all of them\r\n}\r\nYARA (Ascii)\r\nrule RAT_ToxicEye_StringsA : malware rat toxiceye {\r\n meta:\r\n author = \"albertzsigovits\"\r\n sha256 = \"2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4\"\r\n reference = \"https://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\"\r\n reference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye\"\r\n reference = \"https://bazaar.abuse.ch/browse/signature/toxiceye/\"\r\n strings:\r\n $ = \"\\\\Users\\\\attationin\"\r\n $ = \"\\\\ToxicEye-master-myfork\"\r\n $ = \"\\\\ToxicEye-master\"\r\n $ = \"TelegramChatID\"\r\n $ = \"TelegramRAT\"\r\n $ = \"TelegramToken\"\r\n $ = \"TelegramGrabber\"\r\n $ = \"TelegramCommandCheckDelay\"\r\n $ = \"AutoStealer\"\r\n $ = \"Clipper\"\r\n $ = \"Ivan Medvedev\"\r\n $ = \"AttributeSystemEnabled\"\r\n $ = \"AttributeHiddenEnabled\"\r\n $ = \"ProcessBSODProtectionEnabled\"\r\n $ = \"AutorunEnabled\"\r\n $ = \"AutoStealerEnabled\"\r\n $ = \"ClipperEnabled\"\r\n $ = \"inSandboxie\"\r\n $ = \"DiscordGrabber\"\r\n $ = \"SteamGrabber\"\r\n $ = \"TelegramGrabber\"\r\n $ = \"runAntiAnalysis\"\r\n $ = \"DetectAntivirus\"\r\n $ = \"webcamScreenshot\"\r\n $ = \"desktopScreenshot\"\r\n condition:\r\nhttps://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\r\nPage 5 of 8\n\n15 of them\r\n}\r\nYARA (Wide)\r\nrule RAT_ToxicEye_StringsW : malware rat toxiceye {\r\n meta:\r\n author = \"albertzsigovits\"\r\n sha256 = \"2e53a6710f04dd84cfd3ac1874a2a61e690568405f192e7cbf8a4df12da334c4\"\r\n reference = \"https://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\"\r\n reference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye\"\r\n reference = \"https://bazaar.abuse.ch/browse/signature/toxiceye/\"\r\n strings:\r\n $str01 = \"ToxicEye\" wide\r\n $str02 = \"Coded by LimerBoy, attationin, Apasniy Suren\" wide\r\n $str03 = \"Do not spread among people, this was developed against mamonts only!\" wide\r\n $str04 = \"Preparing blue screen of death...\" wide\r\n $str05 = \"Warning! System will be destroyed! Run command /OverwriteBootSector_CONFIRM to cont\r\n $str06 = \"Trying overwrite boot sector...\" wide\r\n $str07 = \"Found blocked process\" wide\r\n $str08 = \"This is some text in the file.\" wide\r\n $str09 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\" wide\r\n $str10 = \"DisableTaskMgr\" wide\r\n $str11 = \"\\\\root\\\\SecurityCenter2\" wide\r\n $str12 = \"Select * from AntivirusProduct\" wide\r\n $str13 = \"Starting autostealer...\" wide\r\n $str14 = \"Stopping autostealer...\" wide\r\n $str15 = \"autosteal.lock\" wide\r\n $str16 = \".crypted\" wide\r\n $str17 = \"STEALER:\" wide\r\n $status01 = \"[!] Failed load libraries, not connected to internet!\" wide\r\n $status02 = \"[!] Stopping command listener thread\" wide\r\n $status03 = \"[!] Retrying connect to api.telegram.org\" wide\r\n $status04 = \"[!] Retrying connect to internet...\" wide\r\n $status05 = \"[!] Shutdown signal received..\" wide\r\n $status06 = \"[+] Process checker started\" wide\r\n $status07 = \"[+] Restarting command listener thread\" wide\r\n $status08 = \"[+] Set process critical\" wide\r\n $status09 = \"[+] Set process not critical\" wide\r\n $status10 = \"[+] Hiding console window\" wide\r\n $status11 = \"[+] Copying to system...\" wide\r\n $status12 = \"[+] Uninstalling from system...\" wide\r\n $status13 = \"[+] Installing to autorun...\" wide\r\n $status14 = \"[+] Uninstalling from autorun...\" wide\r\nhttps://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\r\nPage 6 of 8\n\n$status15 = \"[+] Clipper is starting...\" wide\r\n $status16 = \"[?] Already running 1 copy of the program\" wide\r\n $status17 = \"[?] Sleeping {0}\" wide\r\n $status18 = \"[~] Trying elevate previleges to administrator...\" wide\r\n $cnc01 = \"https://api.mylnikov.org/geolocation/wifi?bssid\" wide\r\n $cnc02 = \"http://ip-api.com/json/\" wide\r\n $cnc03 = \"https://api.telegram.org/\" wide\r\n $cnc04 = \"https://api.telegram.org/file/\" wide\r\n $txt01 = \"keylogs.txt\" wide\r\n $txt02 = \"MyTest.txt\" wide\r\n $txt03 = \"bookmarks.txt\" wide\r\n $txt04 = \"cookies.txt\" wide\r\n $txt05 = \"credit_cards.txt\" wide\r\n $txt06 = \"filezilla.txt\" wide\r\n $txt07 = \"history.txt\" wide\r\n $txt08 = \"passwords.txt\" wide\r\n $zip01 = \"desktop.zip\" wide\r\n $zip02 = \"steam.zip\" wide\r\n $zip03 = \"audio.zip\" wide\r\n $zip04 = \"fmedia.zip\" wide\r\n $debug01 = \"Trying to kill Defender...\" wide\r\n $debug02 = \"Uninstalling malware from device...\" wide\r\n $debug03 = \"Preparing ForkBomb...\" wide\r\n $debug04 = \"Preparing blue screen of death...\" wide\r\n $debug05 = \"Trying overwrite boot sector...\" wide\r\n $debug06 = \"Starting autostealer...\" wide\r\n $debug07 = \"Stopping autostealer...\" wide\r\n $debug08 = \"Archiving desktop files...\" wide\r\n $debug09 = \"Telegram session found by process. Please wait...\" wide\r\n $debug10 = \"Telegram session found in default path. Please wait...\" wide\r\n $debug11 = \"Uploading file...\" wide\r\n $debug12 = \"Uploading directory...\" wide\r\n $debug13 = \"Downloading CommandCam...\" wide\r\n $debug14 = \"Downloading FMedia...\" wide\r\n $debug15 = \"Please wait...\" wide\r\n $debug16 = \"Target turns off the power on the device...\" wide\r\n $exfil01 = \"[BOOKMARKS]\" wide\r\n $exfil02 = \"[COOKIES]\" wide\r\n $exfil03 = \"[CREDIT CARDS]\" wide\r\n $exfil04 = \"[FILEZILLA SERVERS]\" wide\r\n $exfil05 = \"[HISTORY]\" wide\r\n $exfil06 = \"[PASSWORDS]\" wide\r\nhttps://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\r\nPage 7 of 8\n\ncondition:\r\n 10 of ($str*)\r\n or 10 of ($status*)\r\n or all of ($cnc*)\r\n or 7 of ($txt*)\r\n or all of ($zip*)\r\n or 10 of ($debug*)\r\n or all of ($exfil*)\r\n or ( 1 of ($str*) and 1 of ($status*) and 1 of ($cnc*) and 1 of ($txt*) and 1 of ($zip*) and\r\n}\r\nSource: https://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\r\nhttps://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/albertzsigovits/malware-cfg/tree/main/ToxicEyeRAT" ], "report_names": [ "ToxicEyeRAT" ], "threat_actors": [], "ts_created_at": 1775434172, "ts_updated_at": 1775791278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90162a161c12b667be2d8ebfac1dc584e28d100a.pdf", "text": "https://archive.orkl.eu/90162a161c12b667be2d8ebfac1dc584e28d100a.txt", "img": "https://archive.orkl.eu/90162a161c12b667be2d8ebfac1dc584e28d100a.jpg" } }