Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\system32\tasklist.exe	N/A
Token: SeDebugPrivilege	N/A	C:\a\rat.exe	N/A
Token: SeDebugPrivilege	N/A	C:\a\rat.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\a\rat.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1740 wrote to memory of 2140	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\schtasks.exe
PID 1740 wrote to memory of 2140	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\schtasks.exe
PID 1740 wrote to memory of 2140	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\schtasks.exe
PID 1740 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\cmd.exe
PID 1740 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\cmd.exe
PID 1740 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2572	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 2672 wrote to memory of 2572	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 2672 wrote to memory of 2572	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 2672 wrote to memory of 2556	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 2672 wrote to memory of 2556	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 2672 wrote to memory of 2556	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 2672 wrote to memory of 2392	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2672 wrote to memory of 2392	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2672 wrote to memory of 2392	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2672 wrote to memory of 2800	N/A	C:\Windows\System32\cmd.exe	C:\a\rat.exe
PID 2672 wrote to memory of 2800	N/A	C:\Windows\System32\cmd.exe	C:\a\rat.exe
PID 2672 wrote to memory of 2800	N/A	C:\Windows\System32\cmd.exe	C:\a\rat.exe
PID 2800 wrote to memory of 2208	N/A	C:\a\rat.exe	C:\Windows\System32\schtasks.exe
PID 2800 wrote to memory of 2208	N/A	C:\a\rat.exe	C:\Windows\System32\schtasks.exe
PID 2800 wrote to memory of 2208	N/A	C:\a\rat.exe	C:\Windows\System32\schtasks.exe
PID 2800 wrote to memory of 2900	N/A	C:\a\rat.exe	C:\Windows\system32\WerFault.exe
PID 2800 wrote to memory of 2900	N/A	C:\a\rat.exe	C:\Windows\system32\WerFault.exe
PID 2800 wrote to memory of 2900	N/A	C:\a\rat.exe	C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2A6A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp2A6A.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 1740"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\a\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2800 -s 1532

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	google.com	udp
US	8.8.8.8:53	api.Telegram.org	udp
NL	149.154.167.220:443	api.Telegram.org	tcp
NL	149.154.167.220:443	api.Telegram.org	tcp

Files

memory/1740-0-0x0000000000CE0000-0x0000000000D0A000-memory.dmp

memory/1740-1-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/1740-2-0x000000001AC60000-0x000000001ACE0000-memory.dmp

memory/1740-5-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2A6A.tmp.bat

MD5	17fdb154ebd5c57e3fdc05351a64ed5e
SHA1	505b2a3b83f399884cec835781bb63c228858109
SHA256	cd598668172e1950ee0298b12061114e74176678dd901bc5130db25f2a7edc8b
SHA512	423c7fedf9f643c399d552ed5ca656a5e989cba3e479783f13f2f6d715c5409fee1d4826a4d8e70f15b0c4c1bbc8f9fa8073674fd296c4967f2a26b03b3b2fcb

C:\a\rat.exe

MD5	3f348796bd487827ac9e566dc082d5ce
SHA1	54fd77ca70dfcb9dfa092ff5f5cc911eca27e39d
SHA256	05784dc21b94b6c838f1d979fcf7107fc7c1be31c026eccc9259c7878a52ba92
SHA512	bc5292d8a45e10fd59d4661bdb189f595407b5c3f5fbe2f6a3153e129d75a1d8e868ada144504640c2e1504cba8c717a365fab145ad04b7c179f2829f17309c8

memory/2800-10-0x0000000001230000-0x000000000125A000-memory.dmp

memory/2800-11-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp

memory/2800-12-0x000000001B000000-0x000000001B080000-memory.dmp

memory/2800-13-0x000007FEF4CA0000-0x000007FEF568C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 03:38

Reported

2024-03-02 03:41

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

Signatures

ToxicEye

rat trojan toxiceye

Downloads MZ/PE file

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	C:\a\rat.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\a\rat.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	raw.githubusercontent.com	N/A	N/A
N/A	raw.githubusercontent.com	N/A	N/A
N/A	raw.githubusercontent.com	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\schtasks.exe	N/A
N/A	N/A	C:\Windows\System32\schtasks.exe	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\timeout.exe	N/A

Enumerates processes with tasklist

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\tasklist.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A
N/A	N/A	C:\a\rat.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\system32\tasklist.exe	N/A
Token: SeDebugPrivilege	N/A	C:\a\rat.exe	N/A
Token: SeDebugPrivilege	N/A	C:\a\rat.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\a\rat.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3256 wrote to memory of 4288	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\schtasks.exe
PID 3256 wrote to memory of 4288	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\schtasks.exe
PID 3256 wrote to memory of 4572	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\cmd.exe
PID 3256 wrote to memory of 4572	N/A	C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe	C:\Windows\System32\cmd.exe
PID 4572 wrote to memory of 2384	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 4572 wrote to memory of 2384	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\tasklist.exe
PID 4572 wrote to memory of 2940	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 4572 wrote to memory of 2940	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\find.exe
PID 4572 wrote to memory of 3372	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 4572 wrote to memory of 3372	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\timeout.exe
PID 4572 wrote to memory of 3200	N/A	C:\Windows\System32\cmd.exe	C:\a\rat.exe
PID 4572 wrote to memory of 3200	N/A	C:\Windows\System32\cmd.exe	C:\a\rat.exe
PID 3200 wrote to memory of 3808	N/A	C:\a\rat.exe	C:\Windows\System32\schtasks.exe
PID 3200 wrote to memory of 3808	N/A	C:\a\rat.exe	C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 3256"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\a\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	68.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	180.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	9.228.82.20.in-addr.arpa	udp
US	8.8.8.8:53	41.110.16.96.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	google.com	udp
US	8.8.8.8:53	api.Telegram.org	udp
NL	149.154.167.220:443	api.Telegram.org	tcp
NL	149.154.167.220:443	api.Telegram.org	tcp
US	8.8.8.8:53	raw.githubusercontent.com	udp
US	185.199.108.133:443	raw.githubusercontent.com	tcp
US	185.199.108.133:443	raw.githubusercontent.com	tcp
NL	149.154.167.220:443	api.Telegram.org	tcp
NL	149.154.167.220:443	api.Telegram.org	tcp
NL	149.154.167.220:443	api.Telegram.org	tcp
US	8.8.8.8:53	220.167.154.149.in-addr.arpa	udp
US	8.8.8.8:53	133.108.199.185.in-addr.arpa	udp
NL	149.154.167.220:443	api.Telegram.org	tcp
NL	149.154.167.220:443	api.Telegram.org	tcp
NL	149.154.167.220:443	api.Telegram.org	tcp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	217.135.221.88.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	194.178.17.96.in-addr.arpa	udp
US	8.8.8.8:53	170.117.168.52.in-addr.arpa	udp

Files

memory/3256-0-0x0000026120760000-0x000002612078A000-memory.dmp

memory/3256-1-0x00007FFDE7270000-0x00007FFDE7D31000-memory.dmp

memory/3256-2-0x000002613AD30000-0x000002613AD40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6031.tmp.bat

MD5	7bfdeb82c6f073b9bd0244d8cd241f08
SHA1	c3e5929b300058a63aa5660ffb38d5d12f9661a5
SHA256	df9324f1bf380dd714e390aea9fb9fc83f3100f0583bf10d9f0747063a82e198
SHA512	c1f6025f97d5d66dabdbf9bd457f22afd37934d72ae8a6aedbd86d44481224dec4721ceb8999e6178d8ae6b6c12eff08c19c41800e08718161598e1e4d3b654f

memory/3256-7-0x00007FFDE7270000-0x00007FFDE7D31000-memory.dmp

C:\a\rat.exe

MD5	3f348796bd487827ac9e566dc082d5ce
SHA1	54fd77ca70dfcb9dfa092ff5f5cc911eca27e39d
SHA256	05784dc21b94b6c838f1d979fcf7107fc7c1be31c026eccc9259c7878a52ba92
SHA512	bc5292d8a45e10fd59d4661bdb189f595407b5c3f5fbe2f6a3153e129d75a1d8e868ada144504640c2e1504cba8c717a365fab145ad04b7c179f2829f17309c8

C:\a\rat.exe

MD5	920d6ea63b03c8ca7c2fd8e456973f62
SHA1	16c977a44af4449be701b50414276ff80f60b373
SHA256	532b69ac7d72f436069bc93748de4838e2888e0bf88252428b656c5f0fb3b535
SHA512	e54ba38a2d51de259a0f55c3e437e775c4274d347c5a9b8fc8f4a08f019dfcca5e3122c3cfcedde7b9931c7db7ae20eaf5418a2b7919f40f794309c40355804c

memory/3200-11-0x00007FFDE7270000-0x00007FFDE7D31000-memory.dmp

memory/3200-12-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

memory/3200-14-0x00000277CED80000-0x00000277CED8A000-memory.dmp

memory/3200-17-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

memory/3200-16-0x00000277CEEF0000-0x00000277CEF02000-memory.dmp

memory/3200-22-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

memory/3200-44-0x00007FFDE7270000-0x00007FFDE7D31000-memory.dmp

memory/3200-45-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

memory/3200-46-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

memory/3200-47-0x00000277B5D70000-0x00000277B5D80000-memory.dmp

Sample ID	240302-d659daaa76
Target	TelegramRAT.exe
SHA256	05784dc21b94b6c838f1d979fcf7107fc7c1be31c026eccc9259c7878a52ba92
Tags	toxiceye rat trojan spyware stealer

Malware Analysis Report

2024-08-06 11:55

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files