Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 03:41
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240215-en
General
-
Target
TelegramRAT.exe
-
Size
141KB
-
MD5
cd98e162b45967ddb90eee3cb19edd82
-
SHA1
f7d60aa415d06dd5d144f74081dac60b85e8103a
-
SHA256
6aeebc4573ddec9d5008582d7984d4014fb56c4c3e1a15ab2b06adb00e7878ad
-
SHA512
21ead7050502545121b8d059be5493942087fd496a4a864a24df520d4d815dd23573ea0450ba5738286f824337a1392d3ffba0d580a8a96182cea41a5ff0cd6c
-
SSDEEP
3072:ux57ZFDCfyVRHpy756OtAVIqOYiibKmCPQW4eCrAZrCeni:ohZFDCfyVRJchDebZoV
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 1 IoCs
pid Process 4536 rat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 31 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4980 schtasks.exe 412 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3460 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3936 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4536 rat.exe 4536 rat.exe 4536 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 860 TelegramRAT.exe Token: SeDebugPrivilege 3936 tasklist.exe Token: SeDebugPrivilege 4536 rat.exe Token: SeDebugPrivilege 4536 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4536 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 860 wrote to memory of 4980 860 TelegramRAT.exe 92 PID 860 wrote to memory of 4980 860 TelegramRAT.exe 92 PID 860 wrote to memory of 4816 860 TelegramRAT.exe 94 PID 860 wrote to memory of 4816 860 TelegramRAT.exe 94 PID 4816 wrote to memory of 3936 4816 cmd.exe 97 PID 4816 wrote to memory of 3936 4816 cmd.exe 97 PID 4816 wrote to memory of 3344 4816 cmd.exe 98 PID 4816 wrote to memory of 3344 4816 cmd.exe 98 PID 4816 wrote to memory of 3460 4816 cmd.exe 99 PID 4816 wrote to memory of 3460 4816 cmd.exe 99 PID 4816 wrote to memory of 4536 4816 cmd.exe 100 PID 4816 wrote to memory of 4536 4816 cmd.exe 100 PID 4536 wrote to memory of 412 4536 rat.exe 102 PID 4536 wrote to memory of 412 4536 rat.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"2⤵
- Creates scheduled task(s)
PID:4980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp56CB.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp56CB.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 860"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3936
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:3344
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:3460
-
-
C:\a\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"4⤵
- Creates scheduled task(s)
PID:412
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174B
MD580b93bbfc9c28d33275db3996473c752
SHA17ca10d186c3c6c8a9882bc32c147b70f3047fe67
SHA256decba9dbd9162602de76aef3ca111ee5df1706b7ab25d5bc7d8e0758d863f20e
SHA512a9e5fd4f3e9ab43289533b038ce402098675d472571046c634ab7025f4148f15eee3b53f14de0cd5111cbfc89e944f5eac3fc5a13f7563c1b492b1b9598b5d3a
-
Filesize
141KB
MD5cd98e162b45967ddb90eee3cb19edd82
SHA1f7d60aa415d06dd5d144f74081dac60b85e8103a
SHA2566aeebc4573ddec9d5008582d7984d4014fb56c4c3e1a15ab2b06adb00e7878ad
SHA51221ead7050502545121b8d059be5493942087fd496a4a864a24df520d4d815dd23573ea0450ba5738286f824337a1392d3ffba0d580a8a96182cea41a5ff0cd6c