Malware Analysis Report

2024-08-06 12:01

Sample ID 240302-cyxrlahc65
Target TelegramRAT.exe
SHA256 d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100
Tags
toxiceye rat trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100

Threat Level: Known bad

The file TelegramRAT.exe was found to be: Known bad.

Malicious Activity Summary

toxiceye rat trojan spyware stealer

Contains code to disable Windows Defender

Toxiceye family

ToxicEye

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Enumerates processes with tasklist

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Process Discovery
T1057
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-02 02:29

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Toxiceye family

toxiceye

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 02:29

Reported

2024-03-02 02:32

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ToxicEye

rat trojan toxiceye

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 2868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 2868 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 2252 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2252 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2252 wrote to memory of 2552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2252 wrote to memory of 2556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2252 wrote to memory of 2556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2252 wrote to memory of 2556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2252 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2252 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2252 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2252 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2252 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2252 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2252 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2252 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2252 wrote to memory of 2516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2252 wrote to memory of 2408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2252 wrote to memory of 2408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2252 wrote to memory of 2408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2252 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2252 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2252 wrote to memory of 2424 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2424 wrote to memory of 472 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2424 wrote to memory of 472 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2424 wrote to memory of 472 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2424 wrote to memory of 2720 N/A C:\Users\CyberEye\rat.exe C:\Windows\system32\WerFault.exe
PID 2424 wrote to memory of 2720 N/A C:\Users\CyberEye\rat.exe C:\Windows\system32\WerFault.exe
PID 2424 wrote to memory of 2720 N/A C:\Users\CyberEye\rat.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7A1F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7A1F.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2868"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2868"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\CyberEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2424 -s 1572

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2868-0-0x0000000001060000-0x000000000108A000-memory.dmp

memory/2868-1-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/2868-2-0x000000001AEF0000-0x000000001AF70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7A1F.tmp.bat

MD5 da181be4e975d513e0ca94b8ff3f207f
SHA1 639150727323758a4b9499764a9a7b43343c4134
SHA256 b1f776c4e8304087396645aea147ec0f2e1aa4634287e5e08e26e8d22be14c35
SHA512 91baafb704269358fa649d5c51b76aed11634e4f0ec3b5c27e9f23873c3472d1cc959cd373ece8a93e99cd0c644b99bd009dac7520d8080ac7bc5c5069fe1847

memory/2868-6-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

C:\Users\CyberEye\rat.exe

MD5 d469138477c7462efab75afd4bd13db7
SHA1 daa970c886981f8ae8264fda8fc104dbffac6c66
SHA256 d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100
SHA512 8188e0988a95c4cc1bef475c841c781aa4c3a603cfc15184bd3f4e6103d9631effc722c2f67aee268650254490e89a57a75493f9fccec28b9058108579aea0a8

memory/2424-10-0x0000000000FA0000-0x0000000000FCA000-memory.dmp

memory/2424-11-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

memory/2424-12-0x000000001ACE0000-0x000000001AD60000-memory.dmp

memory/2424-13-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 02:29

Reported

2024-03-02 02:30

Platform

win10v2004-20240226-en

Max time kernel

32s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ToxicEye

rat trojan toxiceye

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\CyberEye\rat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 2408 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 2408 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 4952 wrote to memory of 5080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4952 wrote to memory of 5080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4952 wrote to memory of 1008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 1008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 4388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 4388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 1416 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 4952 wrote to memory of 1416 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 1416 wrote to memory of 3472 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 1416 wrote to memory of 3472 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 2408"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\CyberEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

memory/2408-0-0x0000023591250000-0x000002359127A000-memory.dmp

memory/2408-1-0x00007FFDE7830000-0x00007FFDE82F1000-memory.dmp

memory/2408-2-0x00000235AB860000-0x00000235AB870000-memory.dmp

memory/2408-6-0x00007FFDE7830000-0x00007FFDE82F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5360.tmp.bat

MD5 0294ef40516dbd68cd2d24997312dc49
SHA1 bf196902555c00be63d0ce19155f377068728d40
SHA256 56e275c5f8cb963c58f686e4c361a05afbabc2548a3d1c7bc30388894ffac846
SHA512 24a7053fa9700cb29fab9884d585b224c3584962a87ec5b46812ae58e3e240275934a4aae149795abe5bfabca77880683346e3662447cb2a46ce1a06cbe9f7c9

C:\Users\CyberEye\rat.exe

MD5 d469138477c7462efab75afd4bd13db7
SHA1 daa970c886981f8ae8264fda8fc104dbffac6c66
SHA256 d064c0c5e34236710062931303079f19ec3974327b3800d9fb6ec69fed002100
SHA512 8188e0988a95c4cc1bef475c841c781aa4c3a603cfc15184bd3f4e6103d9631effc722c2f67aee268650254490e89a57a75493f9fccec28b9058108579aea0a8

memory/1416-11-0x00007FFDE71D0000-0x00007FFDE7C91000-memory.dmp

memory/1416-12-0x00000237597F0000-0x0000023759800000-memory.dmp

memory/1416-14-0x0000023759970000-0x000002375997A000-memory.dmp

memory/1416-16-0x00000237599A0000-0x00000237599B2000-memory.dmp

memory/1416-42-0x00007FFDE71D0000-0x00007FFDE7C91000-memory.dmp

memory/1416-43-0x00000237597F0000-0x0000023759800000-memory.dmp