Analysis Overview
SHA256
48614dc3fd49968db9c35b840a6609f397f2f1813daa7c56b659036edf82f2e2
Threat Level: Known bad
The file TelegramRAT.exe was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
ToxicEye
Toxiceye family
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Deletes itself
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-02 01:17
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Toxiceye family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 01:17
Reported
2024-03-02 01:20
Platform
win7-20240221-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ToxicEye
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp257B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp257B.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 1948"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\CyberEye\rat.exe
"rat.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2556 -s 1516
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1948-0-0x0000000000D90000-0x0000000000DBA000-memory.dmp
memory/1948-1-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp
memory/1948-2-0x000000001B0A0000-0x000000001B120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp257B.tmp.bat
| MD5 | 7b344cb55f93a627fe30f7775f94819d |
| SHA1 | ef6b3b9d9d362bbeaa6b13041dab5c7a9329a95b |
| SHA256 | ee6c3f8ddb767ac6dbeddf30a5f0eb7b1e3d35ed1e94f1ff922a90fb7baeae7b |
| SHA512 | 12289722d9c057a0e3bf3029e5b5f46c6ed1e5c918d4c770f43b7e2ba954b4530eb1e7b3f7e7f854f5d741ded7b56d60a6454e4df4f2c36511de5738fa6900ff |
memory/1948-6-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp
C:\Users\CyberEye\rat.exe
| MD5 | 74f22ec8451a5d788ee312e2b637519c |
| SHA1 | a7bd09f6f3d7f9b3ec33b5d4c2787223459d1fc0 |
| SHA256 | 48614dc3fd49968db9c35b840a6609f397f2f1813daa7c56b659036edf82f2e2 |
| SHA512 | 5b356e4811c58bcede2c3a5a0614e40049ef2a68c63c76fa78f612441d1ca9e1200f7a0544ffbca66ab4e0668fd0ec196bf0cdbff60ff7097c5f476b1675492b |
memory/2556-10-0x0000000000DF0000-0x0000000000E1A000-memory.dmp
memory/2556-11-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
memory/2556-12-0x000000001B060000-0x000000001B0E0000-memory.dmp
memory/2556-13-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 01:17
Reported
2024-03-02 01:20
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ToxicEye
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\CyberEye\rat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3A0B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp3A0B.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 1288"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\CyberEye\rat.exe
"rat.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
Files
memory/1288-0-0x0000026662D30000-0x0000026662D5A000-memory.dmp
memory/1288-1-0x00007FFF76DC0000-0x00007FFF77881000-memory.dmp
memory/1288-2-0x000002667D2F0000-0x000002667D300000-memory.dmp
memory/1288-6-0x00007FFF76DC0000-0x00007FFF77881000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3A0B.tmp.bat
| MD5 | eb41ef7079d9942e032d6d42177776a8 |
| SHA1 | 6cd671b0afd4862715168156c6d965d4829d9f7d |
| SHA256 | fe32340c9fbc2c260d6774d1bae46f93f45b0d519c9a415017fccd5cb94a82a5 |
| SHA512 | 6c5f4923bdadd8bd465b9d8bc36aac10c637077769231240724d687be8e45f5f4bca14727a0dc2d24a8b5ea36d730a675a33b7883224d77f7803a74546898d49 |
C:\Users\CyberEye\rat.exe
| MD5 | 74f22ec8451a5d788ee312e2b637519c |
| SHA1 | a7bd09f6f3d7f9b3ec33b5d4c2787223459d1fc0 |
| SHA256 | 48614dc3fd49968db9c35b840a6609f397f2f1813daa7c56b659036edf82f2e2 |
| SHA512 | 5b356e4811c58bcede2c3a5a0614e40049ef2a68c63c76fa78f612441d1ca9e1200f7a0544ffbca66ab4e0668fd0ec196bf0cdbff60ff7097c5f476b1675492b |
memory/2412-11-0x00007FFF76DC0000-0x00007FFF77881000-memory.dmp
memory/2412-12-0x000001DE1FA00000-0x000001DE1FA10000-memory.dmp
memory/2412-14-0x000001DE1FAB0000-0x000001DE1FABA000-memory.dmp
memory/2412-16-0x000001DE1FAC0000-0x000001DE1FAD2000-memory.dmp
memory/2412-42-0x00007FFF76DC0000-0x00007FFF77881000-memory.dmp
memory/2412-43-0x000001DE1FA00000-0x000001DE1FA10000-memory.dmp