General

  • Target

    TelegramRAT.exe

  • Size

    143KB

  • Sample

    240302-dgxkyahe98

  • MD5

    c19a5df467e2b60b230ebcf5045a3318

  • SHA1

    a0772479a4acdc3ed21ae103adc22594fb4630f7

  • SHA256

    03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec

  • SHA512

    ad82cf0fa1cb1151161e7bbecc147a3bf959cd3fc9bd25a538c7e805d2885bb82e5e71f6454e7a6fcdd5468fc8538e684a163a78f3e11d594c7fe64c41578440

  • SSDEEP

    3072:IKoQM7ZNlgOzv0zonwLhMzIf5HOHWHBAF0rkFAbA+UBQW4VCrAZ51Gdm:127ZNlgWFWHmO4FAbt1K

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Targets

    • Target

      TelegramRAT.exe

    • Size

      143KB

    • MD5

      c19a5df467e2b60b230ebcf5045a3318

    • SHA1

      a0772479a4acdc3ed21ae103adc22594fb4630f7

    • SHA256

      03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec

    • SHA512

      ad82cf0fa1cb1151161e7bbecc147a3bf959cd3fc9bd25a538c7e805d2885bb82e5e71f6454e7a6fcdd5468fc8538e684a163a78f3e11d594c7fe64c41578440

    • SSDEEP

      3072:IKoQM7ZNlgOzv0zonwLhMzIf5HOHWHBAF0rkFAbA+UBQW4VCrAZ51Gdm:127ZNlgWFWHmO4FAbt1K

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • ToxicEye

      ToxicEye is a trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks