Analysis Overview
SHA256
ba8d40a2a20d44a25041fb635bc86e596a41d42d695614f0ff01c0529e820fec
Threat Level: Known bad
The file TelegramRAT.exe was found to be: Known bad.
Malicious Activity Summary
ToxicEye
Contains code to disable Windows Defender
Toxiceye family
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Enumerates processes with tasklist
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-02 02:50
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Toxiceye family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 02:50
Reported
2024-03-02 02:52
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ToxicEye
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp787A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp787A.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 1280"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 1280"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\CyberEye\rat.exe
"rat.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2520 -s 1588
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1280-0-0x0000000000D30000-0x0000000000D5A000-memory.dmp
memory/1280-1-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
memory/1280-2-0x000000001AF00000-0x000000001AF80000-memory.dmp
memory/1280-6-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp787A.tmp.bat
| MD5 | 146685f50168501d950d620f2e272882 |
| SHA1 | 3b764e061b9ca4d5ca16c3cf8d9febcc4bf9c972 |
| SHA256 | 71c0b4a1ab1349dc3315c52c3a4d908453ca2919dae0e645dc40416c45e90b39 |
| SHA512 | 9593b9054a4afbdec8fe97548276794c585384c5440203ba4c8853c846e4a064b38d7dc40ff519fd3a262247aadc0e06428e05de28ccd146cfd344ab60623643 |
C:\Users\CyberEye\rat.exe
| MD5 | 6d8b4e6092594fbdbe2c388270a5e005 |
| SHA1 | 7c7b30444c1d6e6964c9ff8c2b508f63ec0dc257 |
| SHA256 | ba8d40a2a20d44a25041fb635bc86e596a41d42d695614f0ff01c0529e820fec |
| SHA512 | a932e9bf57eda27f1274cdfe83e772501a809f59a9df228fbfce207c8f409998bea3a92436ee3ba9c936fed30593faa5f61fc0d16e21c9f1963b73cc9d66bf88 |
memory/2520-10-0x00000000009A0000-0x00000000009CA000-memory.dmp
memory/2520-12-0x000000001ADF0000-0x000000001AE70000-memory.dmp
memory/2520-11-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp
memory/2520-13-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 02:50
Reported
2024-03-02 02:52
Platform
win10v2004-20240226-en
Max time kernel
97s
Max time network
102s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ToxicEye
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\CyberEye\rat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp950C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp950C.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2268"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\CyberEye\rat.exe
"rat.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2268-0-0x00000217A1E30000-0x00000217A1E5A000-memory.dmp
memory/2268-1-0x00007FF8298B0000-0x00007FF82A371000-memory.dmp
memory/2268-2-0x00000217BC660000-0x00000217BC670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp950C.tmp.bat
| MD5 | d249d260c313820a9c4dc347ee0604fc |
| SHA1 | 3824b12edc3048c77a6ba88135356be1def65fed |
| SHA256 | e6bf510747568f46055648b49316c9959e3a8a4e9804ea0ba24a14b874cddb77 |
| SHA512 | 8fa13a7d23eb678925811d408f6eb627623a4413f1ab6c5334f74e4b42dac05e8a5097243a448d0cf508cbfe29fe28639101ad46354200466f04d61eb5c218bf |
memory/2268-7-0x00007FF8298B0000-0x00007FF82A371000-memory.dmp
C:\Users\CyberEye\rat.exe
| MD5 | 6d8b4e6092594fbdbe2c388270a5e005 |
| SHA1 | 7c7b30444c1d6e6964c9ff8c2b508f63ec0dc257 |
| SHA256 | ba8d40a2a20d44a25041fb635bc86e596a41d42d695614f0ff01c0529e820fec |
| SHA512 | a932e9bf57eda27f1274cdfe83e772501a809f59a9df228fbfce207c8f409998bea3a92436ee3ba9c936fed30593faa5f61fc0d16e21c9f1963b73cc9d66bf88 |
memory/2860-11-0x00007FF829580000-0x00007FF82A041000-memory.dmp
memory/2860-12-0x000001D74BF20000-0x000001D74BF30000-memory.dmp
memory/2860-14-0x000001D74C540000-0x000001D74C54A000-memory.dmp
memory/2860-16-0x000001D74C550000-0x000001D74C562000-memory.dmp
memory/2860-37-0x000001D74D3C0000-0x000001D74D46A000-memory.dmp
memory/2860-38-0x000001D74D510000-0x000001D74D586000-memory.dmp
memory/2860-44-0x00007FF829580000-0x00007FF82A041000-memory.dmp
memory/2860-45-0x000001D74BF20000-0x000001D74BF30000-memory.dmp
memory/2860-46-0x000001D74BF20000-0x000001D74BF30000-memory.dmp
memory/2860-47-0x000001D74BF20000-0x000001D74BF30000-memory.dmp