Malware Analysis Report

2024-08-06 11:59

Sample ID 240302-cybt5ahc55
Target TelegramRAT.exe
SHA256 a0790e8195c00714a8486ea9c7a9902e8dd9efc498c3c31737b1e753ac319d09
Tags
toxiceye rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0790e8195c00714a8486ea9c7a9902e8dd9efc498c3c31737b1e753ac319d09

Threat Level: Known bad

The file TelegramRAT.exe was found to be: Known bad.

Malicious Activity Summary

toxiceye rat trojan

ToxicEye

Contains code to disable Windows Defender

Toxiceye family

Checks computer location settings

Deletes itself

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates processes with tasklist

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Process Discovery
T1057
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-02 02:28

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Toxiceye family

toxiceye

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 02:28

Reported

2024-03-02 02:31

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ToxicEye

rat trojan toxiceye

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 3048 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 3048 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 3048 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 3048 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 3048 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 2720 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2720 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2720 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2720 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2720 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2720 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2720 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 2468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2720 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2720 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2720 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2720 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2720 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2720 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2720 wrote to memory of 2396 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2720 wrote to memory of 2396 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2720 wrote to memory of 2396 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2396 wrote to memory of 1728 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2396 wrote to memory of 1728 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2396 wrote to memory of 1728 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2396 wrote to memory of 2812 N/A C:\Users\CyberEye\rat.exe C:\Windows\system32\WerFault.exe
PID 2396 wrote to memory of 2812 N/A C:\Users\CyberEye\rat.exe C:\Windows\system32\WerFault.exe
PID 2396 wrote to memory of 2812 N/A C:\Users\CyberEye\rat.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 3048"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 3048"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\CyberEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2396 -s 1564

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/3048-0-0x0000000001100000-0x000000000112A000-memory.dmp

memory/3048-1-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/3048-2-0x000000001AE50000-0x000000001AED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp86AD.tmp.bat

MD5 630ab1d005a9a31ddd0306242c128758
SHA1 8126800efa383201467b304a74c4d82bccd00930
SHA256 58ba2935d7b759b59371281023f9a9e2db970d14ffc90025e3fb583442602b3f
SHA512 2f4620d3f65f7f949e271335d384c2097bdbd6deac7849ee8884cc864155aae84ef543b1ae468f1d176b551ce94ff4269ade38e9148c5af6d3d83792aa5070a7

memory/3048-6-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

C:\Users\CyberEye\rat.exe

MD5 5ed0d420fc1b4641d8b88cf909be6e4e
SHA1 a324050949e558a339cfc02e761e12dd657f1ee2
SHA256 a0790e8195c00714a8486ea9c7a9902e8dd9efc498c3c31737b1e753ac319d09
SHA512 f3d000019faa786fa589bee3fb07abcd7c928220066b56ecac69c46077feb742cbd6dfa6a6bdb3fb4861154751b12d99ef71b487b12655b41127d132fc2e628e

memory/2396-10-0x0000000000B60000-0x0000000000B8A000-memory.dmp

memory/2396-12-0x000000001AE50000-0x000000001AED0000-memory.dmp

memory/2396-11-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

memory/2396-13-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

memory/2396-14-0x000000001AE50000-0x000000001AED0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 02:28

Reported

2024-03-02 02:29

Platform

win10v2004-20240226-en

Max time kernel

14s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ToxicEye

rat trojan toxiceye

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\CyberEye\rat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 3056 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 3056 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 3056 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 4484 wrote to memory of 396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4484 wrote to memory of 396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4484 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4484 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4484 wrote to memory of 3484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4484 wrote to memory of 3484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4484 wrote to memory of 4504 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 4484 wrote to memory of 4504 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 4504 wrote to memory of 4816 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 4504 wrote to memory of 4816 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6BAA.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6BAA.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 3056"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\CyberEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp

Files

memory/3056-0-0x000001808D8A0000-0x000001808D8CA000-memory.dmp

memory/3056-1-0x00007FFD01970000-0x00007FFD02431000-memory.dmp

memory/3056-2-0x00000180A7EB0000-0x00000180A7EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6BAA.tmp.bat

MD5 e3ddd2d7a514c059a7435761672403bc
SHA1 9fbc6658339d095e31c09edd948f9f1e92b9aa1a
SHA256 8416949936d30c05812eaac30505e2348313bfa8c42bd2b6ed6eeb14237bc665
SHA512 207d63b34e0ed750d187ae4497b742ac7a7ad3ca68e7aac3f9b7cde2327b1e294e38935fe7616780a127e9d332a7ac76fc453b90e3b9c0af071f2dbceb7cb37f

memory/3056-7-0x00007FFD01970000-0x00007FFD02431000-memory.dmp

C:\Users\CyberEye\rat.exe

MD5 5ed0d420fc1b4641d8b88cf909be6e4e
SHA1 a324050949e558a339cfc02e761e12dd657f1ee2
SHA256 a0790e8195c00714a8486ea9c7a9902e8dd9efc498c3c31737b1e753ac319d09
SHA512 f3d000019faa786fa589bee3fb07abcd7c928220066b56ecac69c46077feb742cbd6dfa6a6bdb3fb4861154751b12d99ef71b487b12655b41127d132fc2e628e

memory/4504-11-0x00007FFD01CF0000-0x00007FFD027B1000-memory.dmp

memory/4504-12-0x0000026433FC0000-0x0000026433FD0000-memory.dmp

memory/4504-14-0x00000264344C0000-0x00000264344D2000-memory.dmp

memory/4504-16-0x0000026434340000-0x000002643434A000-memory.dmp

memory/4504-17-0x00007FFD01CF0000-0x00007FFD027B1000-memory.dmp