Overview

overview

10

Static

static

10

TelegramRAT.exe

windows7-x64

10

TelegramRAT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    143KB

  • MD5

    c19a5df467e2b60b230ebcf5045a3318

  • SHA1

    a0772479a4acdc3ed21ae103adc22594fb4630f7

  • SHA256

    03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec

  • SHA512

    ad82cf0fa1cb1151161e7bbecc147a3bf959cd3fc9bd25a538c7e805d2885bb82e5e71f6454e7a6fcdd5468fc8538e684a163a78f3e11d594c7fe64c41578440

  • SSDEEP

    3072:IKoQM7ZNlgOzv0zonwLhMzIf5HOHWHBAF0rkFAbA+UBQW4VCrAZ51Gdm:127ZNlgWFWHmO4FAbt1K

Score
10/10
toxiceyerattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698

Signatures

  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2556
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1101.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1101.tmp.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 1044"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2696
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2644
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2576
        • C:\Users\CyberEye\rat.exe
          "rat.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
            4⤵
            • Creates scheduled task(s)
            PID:1608
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2420 -s 1484
            4⤵
              PID:852

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp1101.tmp.bat
        Filesize

        188B

        MD5

        6339e8cd3eb19838956823f1a2f764bf

        SHA1

        f01418bbf95313dc69d47387cea5b658e64b7c3d

        SHA256

        0eb3f48a9ac22415744755b31bc6f8aaa6052d128d79329dd33a8fa2f294724c

        SHA512

        bc4cb84d6fc42ecf72e093e41aaff9f3831ee81b46a551eac80bd35ba2b9215c620f77db2580a0f7fb85cb53da1823d2fc812f2c1d99e7460e381856dba5d501

        Download Submit

      • C:\Users\CyberEye\rat.exe
        Filesize

        143KB

        MD5

        c19a5df467e2b60b230ebcf5045a3318

        SHA1

        a0772479a4acdc3ed21ae103adc22594fb4630f7

        SHA256

        03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec

        SHA512

        ad82cf0fa1cb1151161e7bbecc147a3bf959cd3fc9bd25a538c7e805d2885bb82e5e71f6454e7a6fcdd5468fc8538e684a163a78f3e11d594c7fe64c41578440

        Download Submit

      • memory/1044-0-0x00000000011F0000-0x000000000121A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1044-1-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1044-2-0x000000001B0C0000-0x000000001B140000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1044-6-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2420-10-0x0000000000310000-0x000000000033A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/2420-11-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2420-12-0x000000001AF80000-0x000000001B000000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2420-13-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2420-14-0x000000001AF80000-0x000000001B000000-memory.dmp

        Filesize

        512KB

        Download