Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 02:29
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240221-en
General
-
Target
TelegramRAT.exe
-
Size
143KB
-
MD5
d469138477c7462efab75afd4bd13db7
-
SHA1
daa970c886981f8ae8264fda8fc104dbffac6c66
-
SHA256
d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100
-
SHA512
8188e0988a95c4cc1bef475c841c781aa4c3a603cfc15184bd3f4e6103d9631effc722c2f67aee268650254490e89a57a75493f9fccec28b9058108579aea0a8
-
SSDEEP
3072:GhcmsSrI7vLHvWk4EqvE2Rf2p65dd54f/iaK9N4bve0ZQWf5CrAZuCrM:Gv4v8Ef/iayubWa
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2868-0-0x0000000001060000-0x000000000108A000-memory.dmp disable_win_def behavioral1/files/0x000c0000000126ab-8.dat disable_win_def behavioral1/memory/2424-10-0x0000000000FA0000-0x0000000000FCA000-memory.dmp disable_win_def -
Deletes itself 1 IoCs
pid Process 2252 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2424 rat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2608 schtasks.exe 472 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2388 timeout.exe 2408 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2552 tasklist.exe 2584 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2424 rat.exe 2424 rat.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2868 TelegramRAT.exe Token: SeDebugPrivilege 2552 tasklist.exe Token: SeDebugPrivilege 2584 tasklist.exe Token: SeDebugPrivilege 2424 rat.exe Token: SeDebugPrivilege 2424 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2424 rat.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2608 2868 TelegramRAT.exe 30 PID 2868 wrote to memory of 2608 2868 TelegramRAT.exe 30 PID 2868 wrote to memory of 2608 2868 TelegramRAT.exe 30 PID 2868 wrote to memory of 2252 2868 TelegramRAT.exe 32 PID 2868 wrote to memory of 2252 2868 TelegramRAT.exe 32 PID 2868 wrote to memory of 2252 2868 TelegramRAT.exe 32 PID 2252 wrote to memory of 2552 2252 cmd.exe 34 PID 2252 wrote to memory of 2552 2252 cmd.exe 34 PID 2252 wrote to memory of 2552 2252 cmd.exe 34 PID 2252 wrote to memory of 2556 2252 cmd.exe 35 PID 2252 wrote to memory of 2556 2252 cmd.exe 35 PID 2252 wrote to memory of 2556 2252 cmd.exe 35 PID 2252 wrote to memory of 2388 2252 cmd.exe 36 PID 2252 wrote to memory of 2388 2252 cmd.exe 36 PID 2252 wrote to memory of 2388 2252 cmd.exe 36 PID 2252 wrote to memory of 2584 2252 cmd.exe 37 PID 2252 wrote to memory of 2584 2252 cmd.exe 37 PID 2252 wrote to memory of 2584 2252 cmd.exe 37 PID 2252 wrote to memory of 2516 2252 cmd.exe 38 PID 2252 wrote to memory of 2516 2252 cmd.exe 38 PID 2252 wrote to memory of 2516 2252 cmd.exe 38 PID 2252 wrote to memory of 2408 2252 cmd.exe 39 PID 2252 wrote to memory of 2408 2252 cmd.exe 39 PID 2252 wrote to memory of 2408 2252 cmd.exe 39 PID 2252 wrote to memory of 2424 2252 cmd.exe 40 PID 2252 wrote to memory of 2424 2252 cmd.exe 40 PID 2252 wrote to memory of 2424 2252 cmd.exe 40 PID 2424 wrote to memory of 472 2424 rat.exe 42 PID 2424 wrote to memory of 472 2424 rat.exe 42 PID 2424 wrote to memory of 472 2424 rat.exe 42 PID 2424 wrote to memory of 2720 2424 rat.exe 44 PID 2424 wrote to memory of 2720 2424 rat.exe 44 PID 2424 wrote to memory of 2720 2424 rat.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"2⤵
- Creates scheduled task(s)
PID:2608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7A1F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7A1F.tmp.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2868"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2556
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2388
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2868"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2516
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2408
-
-
C:\Users\CyberEye\rat.exe"rat.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"4⤵
- Creates scheduled task(s)
PID:472
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2424 -s 15724⤵PID:2720
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188B
MD5da181be4e975d513e0ca94b8ff3f207f
SHA1639150727323758a4b9499764a9a7b43343c4134
SHA256b1f776c4e8304087396645aea147ec0f2e1aa4634287e5e08e26e8d22be14c35
SHA51291baafb704269358fa649d5c51b76aed11634e4f0ec3b5c27e9f23873c3472d1cc959cd373ece8a93e99cd0c644b99bd009dac7520d8080ac7bc5c5069fe1847
-
Filesize
143KB
MD5d469138477c7462efab75afd4bd13db7
SHA1daa970c886981f8ae8264fda8fc104dbffac6c66
SHA256d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100
SHA5128188e0988a95c4cc1bef475c841c781aa4c3a603cfc15184bd3f4e6103d9631effc722c2f67aee268650254490e89a57a75493f9fccec28b9058108579aea0a8