General
-
Target
TelegramRAT.exe
-
Size
143KB
-
Sample
240302-dgxkyahe98
-
MD5
c19a5df467e2b60b230ebcf5045a3318
-
SHA1
a0772479a4acdc3ed21ae103adc22594fb4630f7
-
SHA256
03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec
-
SHA512
ad82cf0fa1cb1151161e7bbecc147a3bf959cd3fc9bd25a538c7e805d2885bb82e5e71f6454e7a6fcdd5468fc8538e684a163a78f3e11d594c7fe64c41578440
-
SSDEEP
3072:IKoQM7ZNlgOzv0zonwLhMzIf5HOHWHBAF0rkFAbA+UBQW4VCrAZ51Gdm:127ZNlgWFWHmO4FAbt1K
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240221-en
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Targets
-
-
Target
TelegramRAT.exe
-
Size
143KB
-
MD5
c19a5df467e2b60b230ebcf5045a3318
-
SHA1
a0772479a4acdc3ed21ae103adc22594fb4630f7
-
SHA256
03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec
-
SHA512
ad82cf0fa1cb1151161e7bbecc147a3bf959cd3fc9bd25a538c7e805d2885bb82e5e71f6454e7a6fcdd5468fc8538e684a163a78f3e11d594c7fe64c41578440
-
SSDEEP
3072:IKoQM7ZNlgOzv0zonwLhMzIf5HOHWHBAF0rkFAbA+UBQW4VCrAZ51Gdm:127ZNlgWFWHmO4FAbt1K
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-