Analysis
-
max time kernel
112s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 03:39
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240221-en
General
-
Target
TelegramRAT.exe
-
Size
141KB
-
MD5
cd98e162b45967ddb90eee3cb19edd82
-
SHA1
f7d60aa415d06dd5d144f74081dac60b85e8103a
-
SHA256
6aeebc4573ddec9d5008582d7984d4014fb56c4c3e1a15ab2b06adb00e7878ad
-
SHA512
21ead7050502545121b8d059be5493942087fd496a4a864a24df520d4d815dd23573ea0450ba5738286f824337a1392d3ffba0d580a8a96182cea41a5ff0cd6c
-
SSDEEP
3072:ux57ZFDCfyVRHpy756OtAVIqOYiibKmCPQW4eCrAZrCeni:ohZFDCfyVRJchDebZoV
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 1 IoCs
pid Process 2448 rat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 41 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2732 schtasks.exe 1200 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3872 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1884 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2448 rat.exe 2448 rat.exe 2448 rat.exe 2448 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2440 TelegramRAT.exe Token: SeDebugPrivilege 1884 tasklist.exe Token: SeDebugPrivilege 2448 rat.exe Token: SeDebugPrivilege 2448 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2448 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2732 2440 TelegramRAT.exe 96 PID 2440 wrote to memory of 2732 2440 TelegramRAT.exe 96 PID 2440 wrote to memory of 1324 2440 TelegramRAT.exe 98 PID 2440 wrote to memory of 1324 2440 TelegramRAT.exe 98 PID 1324 wrote to memory of 1884 1324 cmd.exe 100 PID 1324 wrote to memory of 1884 1324 cmd.exe 100 PID 1324 wrote to memory of 3904 1324 cmd.exe 101 PID 1324 wrote to memory of 3904 1324 cmd.exe 101 PID 1324 wrote to memory of 3872 1324 cmd.exe 102 PID 1324 wrote to memory of 3872 1324 cmd.exe 102 PID 1324 wrote to memory of 2448 1324 cmd.exe 106 PID 1324 wrote to memory of 2448 1324 cmd.exe 106 PID 2448 wrote to memory of 1200 2448 rat.exe 109 PID 2448 wrote to memory of 1200 2448 rat.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"2⤵
- Creates scheduled task(s)
PID:2732
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4517.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4517.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 2440"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:3904
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:3872
-
-
C:\a\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"4⤵
- Creates scheduled task(s)
PID:1200
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD56e0af625e24c775c906201dd3135970f
SHA1597bbdfbf0480bb96392da3e9173758f99a32d84
SHA25638a40f6d2b007b5f099b85e268271ea478f0f4640c4f2cdf13a5c2b6b6853bf1
SHA512cfacdce73d20e2bcf0667c7fbed5778d03e459143fe5d2954423cf8ab6d7a91f01a74662c8231abcf1281ef6f816c22b62852e51baa83aaedb0d4750a6bac571
-
Filesize
141KB
MD5cd98e162b45967ddb90eee3cb19edd82
SHA1f7d60aa415d06dd5d144f74081dac60b85e8103a
SHA2566aeebc4573ddec9d5008582d7984d4014fb56c4c3e1a15ab2b06adb00e7878ad
SHA51221ead7050502545121b8d059be5493942087fd496a4a864a24df520d4d815dd23573ea0450ba5738286f824337a1392d3ffba0d580a8a96182cea41a5ff0cd6c