Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 03:39
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240221-en
General
-
Target
TelegramRAT.exe
-
Size
141KB
-
MD5
cd98e162b45967ddb90eee3cb19edd82
-
SHA1
f7d60aa415d06dd5d144f74081dac60b85e8103a
-
SHA256
6aeebc4573ddec9d5008582d7984d4014fb56c4c3e1a15ab2b06adb00e7878ad
-
SHA512
21ead7050502545121b8d059be5493942087fd496a4a864a24df520d4d815dd23573ea0450ba5738286f824337a1392d3ffba0d580a8a96182cea41a5ff0cd6c
-
SSDEEP
3072:ux57ZFDCfyVRHpy756OtAVIqOYiibKmCPQW4eCrAZrCeni:ohZFDCfyVRJchDebZoV
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Deletes itself 1 IoCs
pid Process 2820 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2664 rat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2824 schtasks.exe 2284 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2888 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2760 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2664 rat.exe 2664 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2196 TelegramRAT.exe Token: SeDebugPrivilege 2760 tasklist.exe Token: SeDebugPrivilege 2664 rat.exe Token: SeDebugPrivilege 2664 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2664 rat.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2824 2196 TelegramRAT.exe 30 PID 2196 wrote to memory of 2824 2196 TelegramRAT.exe 30 PID 2196 wrote to memory of 2824 2196 TelegramRAT.exe 30 PID 2196 wrote to memory of 2820 2196 TelegramRAT.exe 32 PID 2196 wrote to memory of 2820 2196 TelegramRAT.exe 32 PID 2196 wrote to memory of 2820 2196 TelegramRAT.exe 32 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2820 wrote to memory of 2760 2820 cmd.exe 34 PID 2820 wrote to memory of 2600 2820 cmd.exe 35 PID 2820 wrote to memory of 2600 2820 cmd.exe 35 PID 2820 wrote to memory of 2600 2820 cmd.exe 35 PID 2820 wrote to memory of 2888 2820 cmd.exe 36 PID 2820 wrote to memory of 2888 2820 cmd.exe 36 PID 2820 wrote to memory of 2888 2820 cmd.exe 36 PID 2820 wrote to memory of 2664 2820 cmd.exe 37 PID 2820 wrote to memory of 2664 2820 cmd.exe 37 PID 2820 wrote to memory of 2664 2820 cmd.exe 37 PID 2664 wrote to memory of 2284 2664 rat.exe 39 PID 2664 wrote to memory of 2284 2664 rat.exe 39 PID 2664 wrote to memory of 2284 2664 rat.exe 39 PID 2664 wrote to memory of 2684 2664 rat.exe 41 PID 2664 wrote to memory of 2684 2664 rat.exe 41 PID 2664 wrote to memory of 2684 2664 rat.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"2⤵
- Creates scheduled task(s)
PID:2824
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1C18.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1C18.tmp.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2196"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2600
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2888
-
-
C:\a\rat.exe"rat.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"4⤵
- Creates scheduled task(s)
PID:2284
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2664 -s 14884⤵PID:2684
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD5cc3d9576fdafd27bed8089548484a651
SHA16036b20b9ccdf20e22bbeb0aee819c88840fb9a5
SHA256724e190d2f0859142e9d3a94771df8b99e1457b1f661b79ebb56d6e81a6e882a
SHA5124a33c4bca38f0960030b716aa804888dc83937c561d461b283f37b2ba84d6c7bedd50f36e7223bd675e8366fbf88f58f5b73e431cd073990a9da84a9eb8ac1e2
-
Filesize
141KB
MD5cd98e162b45967ddb90eee3cb19edd82
SHA1f7d60aa415d06dd5d144f74081dac60b85e8103a
SHA2566aeebc4573ddec9d5008582d7984d4014fb56c4c3e1a15ab2b06adb00e7878ad
SHA51221ead7050502545121b8d059be5493942087fd496a4a864a24df520d4d815dd23573ea0450ba5738286f824337a1392d3ffba0d580a8a96182cea41a5ff0cd6c