Analysis
-
max time kernel
32s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 02:29
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240221-en
General
-
Target
TelegramRAT.exe
-
Size
143KB
-
MD5
d469138477c7462efab75afd4bd13db7
-
SHA1
daa970c886981f8ae8264fda8fc104dbffac6c66
-
SHA256
d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100
-
SHA512
8188e0988a95c4cc1bef475c841c781aa4c3a603cfc15184bd3f4e6103d9631effc722c2f67aee268650254490e89a57a75493f9fccec28b9058108579aea0a8
-
SSDEEP
3072:GhcmsSrI7vLHvWk4EqvE2Rf2p65dd54f/iaK9N4bve0ZQWf5CrAZuCrM:Gv4v8Ef/iayubWa
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/2408-0-0x0000023591250000-0x000002359127A000-memory.dmp disable_win_def behavioral2/files/0x0008000000023231-9.dat disable_win_def -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 1 IoCs
pid Process 1416 rat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 31 raw.githubusercontent.com 32 raw.githubusercontent.com 33 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4116 schtasks.exe 3472 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4388 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 5080 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe 1416 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2408 TelegramRAT.exe Token: SeDebugPrivilege 5080 tasklist.exe Token: SeDebugPrivilege 1416 rat.exe Token: SeDebugPrivilege 1416 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1416 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2408 wrote to memory of 4116 2408 TelegramRAT.exe 90 PID 2408 wrote to memory of 4116 2408 TelegramRAT.exe 90 PID 2408 wrote to memory of 4952 2408 TelegramRAT.exe 93 PID 2408 wrote to memory of 4952 2408 TelegramRAT.exe 93 PID 4952 wrote to memory of 5080 4952 cmd.exe 95 PID 4952 wrote to memory of 5080 4952 cmd.exe 95 PID 4952 wrote to memory of 1008 4952 cmd.exe 96 PID 4952 wrote to memory of 1008 4952 cmd.exe 96 PID 4952 wrote to memory of 4388 4952 cmd.exe 98 PID 4952 wrote to memory of 4388 4952 cmd.exe 98 PID 4952 wrote to memory of 1416 4952 cmd.exe 99 PID 4952 wrote to memory of 1416 4952 cmd.exe 99 PID 1416 wrote to memory of 3472 1416 rat.exe 102 PID 1416 wrote to memory of 3472 1416 rat.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"2⤵
- Creates scheduled task(s)
PID:4116
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2408"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:1008
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:4388
-
-
C:\Users\CyberEye\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"4⤵
- Creates scheduled task(s)
PID:3472
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188B
MD50294ef40516dbd68cd2d24997312dc49
SHA1bf196902555c00be63d0ce19155f377068728d40
SHA25656e275c5f8cb963c58f686e4c361a05afbabc2548a3d1c7bc30388894ffac846
SHA51224a7053fa9700cb29fab9884d585b224c3584962a87ec5b46812ae58e3e240275934a4aae149795abe5bfabca77880683346e3662447cb2a46ce1a06cbe9f7c9
-
Filesize
143KB
MD5d469138477c7462efab75afd4bd13db7
SHA1daa970c886981f8ae8264fda8fc104dbffac6c66
SHA256d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100
SHA5128188e0988a95c4cc1bef475c841c781aa4c3a603cfc15184bd3f4e6103d9631effc722c2f67aee268650254490e89a57a75493f9fccec28b9058108579aea0a8