Malware Analysis Report

2024-08-06 11:58

Sample ID 231029-q8btrsga8t
Target TelegramRAT.exe
SHA256 55d2ee012d4bc880210a63b0b9e10a31b65d58d2d341a0585806965c8030b519
Tags
toxiceye rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55d2ee012d4bc880210a63b0b9e10a31b65d58d2d341a0585806965c8030b519

Threat Level: Known bad

The file TelegramRAT.exe was found to be: Known bad.

Malicious Activity Summary

toxiceye rat trojan

ToxicEye

Toxiceye family

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

Enumerates processes with tasklist

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Process Discovery
T1057
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-10-29 13:55

Signatures

Toxiceye family

toxiceye

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-29 13:55

Reported

2023-10-29 13:57

Platform

win10-20231023-en

Max time kernel

64s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

Signatures

ToxicEye

rat trojan toxiceye

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A
N/A N/A C:\Users\ToxicEye\rat.exe N/A
N/A N/A C:\Users\ToxicEye\rat.exe N/A
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\ToxicEye\rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\ToxicEye\rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 1500 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 1500 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 1500 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 4996 wrote to memory of 5060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4996 wrote to memory of 5060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4996 wrote to memory of 4464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4996 wrote to memory of 4464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4996 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4996 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4996 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Users\ToxicEye\rat.exe
PID 4996 wrote to memory of 752 N/A C:\Windows\System32\cmd.exe C:\Users\ToxicEye\rat.exe
PID 752 wrote to memory of 2952 N/A C:\Users\ToxicEye\rat.exe C:\Windows\System32\schtasks.exe
PID 752 wrote to memory of 2952 N/A C:\Users\ToxicEye\rat.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpB74A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpB74A.tmp.bat

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 1500"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\ToxicEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 49.101.122.92.in-addr.arpa udp

Files

memory/1500-0-0x000001683EF50000-0x000001683EF72000-memory.dmp

memory/1500-1-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

memory/1500-2-0x000001683F320000-0x000001683F330000-memory.dmp

memory/1500-6-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB74A.tmp.bat

MD5 90fe9accd9f6933c7dc8236f2b690667
SHA1 67daf35e832b59a67a3dd84fe86854462b97e928
SHA256 372270acf9c33afdb62d2e44325229c35029a2683a0279c01527003e3aacb9d5
SHA512 8c9c6802667cd0422ae5832adc494fe805e5860f9b1e0cadbff7619d947e51d418479f51f858a21c44ee6dd97ddb5cc035c4ff9f1452513d45405da8b25987c6

C:\Users\ToxicEye\rat.exe

MD5 122174c5133057a13e9d1aaaadf080d1
SHA1 c07281383bd7755df09c8de90b599938686efeb9
SHA256 55d2ee012d4bc880210a63b0b9e10a31b65d58d2d341a0585806965c8030b519
SHA512 d3899e4e2c369a36d7edfb7f165b441943cde89be6ff7645e83c8638c5d35f65b58b960414eb3ff35c4a119fbe6a37c12d2767db8a270c8b0a854d584f292b9b

C:\Users\ToxicEye\rat.exe

MD5 122174c5133057a13e9d1aaaadf080d1
SHA1 c07281383bd7755df09c8de90b599938686efeb9
SHA256 55d2ee012d4bc880210a63b0b9e10a31b65d58d2d341a0585806965c8030b519
SHA512 d3899e4e2c369a36d7edfb7f165b441943cde89be6ff7645e83c8638c5d35f65b58b960414eb3ff35c4a119fbe6a37c12d2767db8a270c8b0a854d584f292b9b

memory/752-11-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

memory/752-12-0x00000208E4000000-0x00000208E4010000-memory.dmp

memory/752-13-0x00000208E4000000-0x00000208E4010000-memory.dmp

memory/752-14-0x00007FFDBEC30000-0x00007FFDBF61C000-memory.dmp

memory/752-15-0x00000208E4000000-0x00000208E4010000-memory.dmp