Analysis Overview
SHA256
d56b2acb792a0e9e636c40190064525352293bbabd04d31a89978c0c167f50aa
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
ToxicEye
Contains code to disable Windows Defender
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates processes with tasklist
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Delays execution with timeout.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-02 01:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 01:23
Reported
2024-03-02 01:26
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ToxicEye
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2104"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\CyberEye\rat.exe
"rat.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1992 -s 1592
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
| MD5 | 74f22ec8451a5d788ee312e2b637519c |
| SHA1 | a7bd09f6f3d7f9b3ec33b5d4c2787223459d1fc0 |
| SHA256 | 48614dc3fd49968db9c35b840a6609f397f2f1813daa7c56b659036edf82f2e2 |
| SHA512 | 5b356e4811c58bcede2c3a5a0614e40049ef2a68c63c76fa78f612441d1ca9e1200f7a0544ffbca66ab4e0668fd0ec196bf0cdbff60ff7097c5f476b1675492b |
memory/2104-6-0x00000000003E0000-0x000000000040A000-memory.dmp
memory/2104-7-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
memory/2104-8-0x000000001AD00000-0x000000001AD80000-memory.dmp
memory/2104-11-0x000007FEF5690000-0x000007FEF607C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA757.tmp.bat
| MD5 | c73eb55130cbf021c00c423fbc08620b |
| SHA1 | dde61d6dcfda595d10beef7a58064341f5fbcfe4 |
| SHA256 | 60fae2b41ec9a224ccc61267484f8c6c830b87146e9697dd38ae784350d435c5 |
| SHA512 | 18b26e2e6513830a60e13d5a1f2ff91578577ad1c2b2a3c0a0217339bc836e4d6d42976ecd694587f4216afdde51f051b6683e6863e5e5330e29edd5fd632788 |
C:\Users\CyberEye\rat.exe
| MD5 | 1999cdeae33e22f513edc20e9d250501 |
| SHA1 | a8be2acc32cdae5d35d1de65ec207971ce881817 |
| SHA256 | 7e54a1a5f837cbcb4ade60a74eebddace4a151262ae56b0b8d0c31c031f20e83 |
| SHA512 | 835c95de0742e88f0e18f8655cdcfc48c080b4e9f6df2580fc6f3c86b596548974d76ee9885170fb4555fa1980bffa5307ea0de77754af67a330f39519c192b1 |
C:\Users\CyberEye\rat.exe
| MD5 | e2f9376ef143f665bda82ee1dea8a1da |
| SHA1 | df6570ae9d2dcf0a46ea516fd7d6097fcfaeffd8 |
| SHA256 | 6a192b299cceb8bbc02458de41a876383747d4fe28aef5f3235bd68a2cb44a29 |
| SHA512 | 2ac89224a32a77dc5bc71b253b9c564882c41246007ec2e33664fabb0a46116166725487d377593d577a27eece558bcabd366b15c9a76cd4453fc2ddb8047afe |
memory/1992-16-0x0000000000360000-0x000000000038A000-memory.dmp
memory/1992-17-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp
memory/1992-18-0x000000001B0D0000-0x000000001B150000-memory.dmp
memory/1992-19-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp
memory/1992-20-0x000000001B0D0000-0x000000001B150000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 01:23
Reported
2024-03-02 01:26
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ToxicEye
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\CyberEye\rat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5062.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5062.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2876"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\CyberEye\rat.exe
"rat.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
| MD5 | 74f22ec8451a5d788ee312e2b637519c |
| SHA1 | a7bd09f6f3d7f9b3ec33b5d4c2787223459d1fc0 |
| SHA256 | 48614dc3fd49968db9c35b840a6609f397f2f1813daa7c56b659036edf82f2e2 |
| SHA512 | 5b356e4811c58bcede2c3a5a0614e40049ef2a68c63c76fa78f612441d1ca9e1200f7a0544ffbca66ab4e0668fd0ec196bf0cdbff60ff7097c5f476b1675492b |
memory/2876-11-0x0000023960270000-0x000002396029A000-memory.dmp
memory/2876-12-0x00007FFBEE880000-0x00007FFBEF341000-memory.dmp
memory/2876-13-0x0000023962110000-0x0000023962120000-memory.dmp
memory/2876-17-0x00007FFBEE880000-0x00007FFBEF341000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5062.tmp.bat
| MD5 | 71c3050831ac51d533a22e201a12cd5c |
| SHA1 | f7854e3c8dfa8cf6e19b54388348f86afe6af0d3 |
| SHA256 | 9ec3de4e8497fda5e009772f2e5bff37f9d974368c950700d0645a04c2b3a9be |
| SHA512 | 5f1d82fcb764cc81c8cb5bb5fda5f33113afaf6d0e1b955bb9801ed09410bfdfd676f45e06b5c54ae815132fc7a6118fb2ca01ae4c6ed30bf33cb2d1891f6005 |
memory/4352-22-0x00007FFBEE880000-0x00007FFBEF341000-memory.dmp
memory/4352-23-0x00000242AADE0000-0x00000242AADF0000-memory.dmp
memory/4352-26-0x00007FFBEE880000-0x00007FFBEF341000-memory.dmp