Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 03:38
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240220-en
General
-
Target
TelegramRAT.exe
-
Size
141KB
-
MD5
3f348796bd487827ac9e566dc082d5ce
-
SHA1
54fd77ca70dfcb9dfa092ff5f5cc911eca27e39d
-
SHA256
05784dc21b94b6c838f1d979fcf7107fc7c1be31c026eccc9259c7878a52ba92
-
SHA512
bc5292d8a45e10fd59d4661bdb189f595407b5c3f5fbe2f6a3153e129d75a1d8e868ada144504640c2e1504cba8c717a365fab145ad04b7c179f2829f17309c8
-
SSDEEP
3072:Txx7ZFDCfyVRHpy756OtAVIqOYiibKmCPQW4eCrAZrRen1:FZZFDCfyVRJchDebZos
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 1 IoCs
pid Process 3200 rat.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 30 raw.githubusercontent.com 31 raw.githubusercontent.com 32 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4288 schtasks.exe 3808 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3372 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2384 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe 3200 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3256 TelegramRAT.exe Token: SeDebugPrivilege 2384 tasklist.exe Token: SeDebugPrivilege 3200 rat.exe Token: SeDebugPrivilege 3200 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3200 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3256 wrote to memory of 4288 3256 TelegramRAT.exe 91 PID 3256 wrote to memory of 4288 3256 TelegramRAT.exe 91 PID 3256 wrote to memory of 4572 3256 TelegramRAT.exe 94 PID 3256 wrote to memory of 4572 3256 TelegramRAT.exe 94 PID 4572 wrote to memory of 2384 4572 cmd.exe 96 PID 4572 wrote to memory of 2384 4572 cmd.exe 96 PID 4572 wrote to memory of 2940 4572 cmd.exe 97 PID 4572 wrote to memory of 2940 4572 cmd.exe 97 PID 4572 wrote to memory of 3372 4572 cmd.exe 98 PID 4572 wrote to memory of 3372 4572 cmd.exe 98 PID 4572 wrote to memory of 3200 4572 cmd.exe 99 PID 4572 wrote to memory of 3200 4572 cmd.exe 99 PID 3200 wrote to memory of 3808 3200 rat.exe 101 PID 3200 wrote to memory of 3808 3200 rat.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"2⤵
- Creates scheduled task(s)
PID:4288
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3256"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2940
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:3372
-
-
C:\a\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"4⤵
- Creates scheduled task(s)
PID:3808
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD57bfdeb82c6f073b9bd0244d8cd241f08
SHA1c3e5929b300058a63aa5660ffb38d5d12f9661a5
SHA256df9324f1bf380dd714e390aea9fb9fc83f3100f0583bf10d9f0747063a82e198
SHA512c1f6025f97d5d66dabdbf9bd457f22afd37934d72ae8a6aedbd86d44481224dec4721ceb8999e6178d8ae6b6c12eff08c19c41800e08718161598e1e4d3b654f
-
Filesize
140KB
MD5920d6ea63b03c8ca7c2fd8e456973f62
SHA116c977a44af4449be701b50414276ff80f60b373
SHA256532b69ac7d72f436069bc93748de4838e2888e0bf88252428b656c5f0fb3b535
SHA512e54ba38a2d51de259a0f55c3e437e775c4274d347c5a9b8fc8f4a08f019dfcca5e3122c3cfcedde7b9931c7db7ae20eaf5418a2b7919f40f794309c40355804c
-
Filesize
141KB
MD53f348796bd487827ac9e566dc082d5ce
SHA154fd77ca70dfcb9dfa092ff5f5cc911eca27e39d
SHA25605784dc21b94b6c838f1d979fcf7107fc7c1be31c026eccc9259c7878a52ba92
SHA512bc5292d8a45e10fd59d4661bdb189f595407b5c3f5fbe2f6a3153e129d75a1d8e868ada144504640c2e1504cba8c717a365fab145ad04b7c179f2829f17309c8