Analysis
-
max time kernel
14s -
max time network
20s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 02:28
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240221-en
General
-
Target
TelegramRAT.exe
-
Size
143KB
-
MD5
5ed0d420fc1b4641d8b88cf909be6e4e
-
SHA1
a324050949e558a339cfc02e761e12dd657f1ee2
-
SHA256
a0790e8195c00714a8486ea9c7a9902e8dd9efc498c3c31737b1e753ac319d09
-
SHA512
f3d000019faa786fa589bee3fb07abcd7c928220066b56ecac69c46077feb742cbd6dfa6a6bdb3fb4861154751b12d99ef71b487b12655b41127d132fc2e628e
-
SSDEEP
3072:OhcmsSrI7vLHvWk4EqvE2Rf2p65dd54f/iaK9N4bve0ZQWf5CrAZuC+C:Ov4v8Ef/iayubWa
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/3056-0-0x000001808D8A0000-0x000001808D8CA000-memory.dmp disable_win_def behavioral2/files/0x0007000000023228-9.dat disable_win_def behavioral2/memory/4504-12-0x0000026433FC0000-0x0000026433FD0000-memory.dmp disable_win_def -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation rat.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation TelegramRAT.exe -
Executes dropped EXE 1 IoCs
pid Process 4504 rat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 33 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1096 schtasks.exe 4816 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3484 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 396 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4504 rat.exe 4504 rat.exe 4504 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3056 TelegramRAT.exe Token: SeDebugPrivilege 396 tasklist.exe Token: SeDebugPrivilege 4504 rat.exe Token: SeDebugPrivilege 4504 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4504 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1096 3056 TelegramRAT.exe 94 PID 3056 wrote to memory of 1096 3056 TelegramRAT.exe 94 PID 3056 wrote to memory of 4484 3056 TelegramRAT.exe 96 PID 3056 wrote to memory of 4484 3056 TelegramRAT.exe 96 PID 4484 wrote to memory of 396 4484 cmd.exe 98 PID 4484 wrote to memory of 396 4484 cmd.exe 98 PID 4484 wrote to memory of 3228 4484 cmd.exe 99 PID 4484 wrote to memory of 3228 4484 cmd.exe 99 PID 4484 wrote to memory of 3484 4484 cmd.exe 100 PID 4484 wrote to memory of 3484 4484 cmd.exe 100 PID 4484 wrote to memory of 4504 4484 cmd.exe 101 PID 4484 wrote to memory of 4504 4484 cmd.exe 101 PID 4504 wrote to memory of 4816 4504 rat.exe 103 PID 4504 wrote to memory of 4816 4504 rat.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"2⤵
- Creates scheduled task(s)
PID:1096
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6BAA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6BAA.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3056"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:3228
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:3484
-
-
C:\Users\CyberEye\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"4⤵
- Creates scheduled task(s)
PID:4816
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188B
MD5e3ddd2d7a514c059a7435761672403bc
SHA19fbc6658339d095e31c09edd948f9f1e92b9aa1a
SHA2568416949936d30c05812eaac30505e2348313bfa8c42bd2b6ed6eeb14237bc665
SHA512207d63b34e0ed750d187ae4497b742ac7a7ad3ca68e7aac3f9b7cde2327b1e294e38935fe7616780a127e9d332a7ac76fc453b90e3b9c0af071f2dbceb7cb37f
-
Filesize
143KB
MD55ed0d420fc1b4641d8b88cf909be6e4e
SHA1a324050949e558a339cfc02e761e12dd657f1ee2
SHA256a0790e8195c00714a8486ea9c7a9902e8dd9efc498c3c31737b1e753ac319d09
SHA512f3d000019faa786fa589bee3fb07abcd7c928220066b56ecac69c46077feb742cbd6dfa6a6bdb3fb4861154751b12d99ef71b487b12655b41127d132fc2e628e