toxiceye | TelegramRAT[.]exe | Triage

Sharing

General

Target

TelegramRAT.exe
Size

141KB
MD5

3f348796bd487827ac9e566dc082d5ce
SHA1

54fd77ca70dfcb9dfa092ff5f5cc911eca27e39d
SHA256

05784dc21b94b6c838f1d979fcf7107fc7c1be31c026eccc9259c7878a52ba92
SHA512

bc5292d8a45e10fd59d4661bdb189f595407b5c3f5fbe2f6a3153e129d75a1d8e868ada144504640c2e1504cba8c717a365fab145ad04b7c179f2829f17309c8
SSDEEP

3072:Txx7ZFDCfyVRHpy756OtAVIqOYiibKmCPQW4eCrAZrRen1:FZZFDCfyVRJchDebZos

Score

10^/10

toxiceye

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

Toxiceye family
toxiceye

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
TelegramRAT.exe

Files

TelegramRAT.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\notfishvr\Downloads\CyberEye-main\TelegramRAT\obj\Debug\TelegramRAT.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 139KB - Virtual size: 138KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ