toxiceye | TelegramRAT[.]exe | Triage

Sharing

General

Target

TelegramRAT.exe
Size

143KB
MD5

5ed0d420fc1b4641d8b88cf909be6e4e
SHA1

a324050949e558a339cfc02e761e12dd657f1ee2
SHA256

a0790e8195c00714a8486ea9c7a9902e8dd9efc498c3c31737b1e753ac319d09
SHA512

f3d000019faa786fa589bee3fb07abcd7c928220066b56ecac69c46077feb742cbd6dfa6a6bdb3fb4861154751b12d99ef71b487b12655b41127d132fc2e628e
SSDEEP

3072:OhcmsSrI7vLHvWk4EqvE2Rf2p65dd54f/iaK9N4bve0ZQWf5CrAZuC+C:Ov4v8Ef/iayubWa

Score

10^/10

toxiceye

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

sample disable_win_def
Toxiceye family
toxiceye
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

TelegramRAT.exe

Files

TelegramRAT.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\notfishvr\Downloads\CyberEye-main\TelegramRAT\obj\Debug\TelegramRAT.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 140KB - Virtual size: 140KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ