Malware Analysis Report

2024-08-06 12:02

Sample ID 240302-dgxkyahe98
Target TelegramRAT.exe
SHA256 03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec
Tags
toxiceye rat trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec

Threat Level: Known bad

The file TelegramRAT.exe was found to be: Known bad.

Malicious Activity Summary

toxiceye rat trojan spyware stealer

Contains code to disable Windows Defender

ToxicEye

Toxiceye family

Downloads MZ/PE file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Process Discovery
T1057
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-02 02:59

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Toxiceye family

toxiceye

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 02:59

Reported

2024-03-02 03:02

Platform

win7-20240221-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ToxicEye

rat trojan toxiceye

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 1044 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 1044 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 1044 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 1044 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 1044 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 2096 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2096 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2096 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2096 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2096 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2096 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2096 wrote to memory of 2576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2096 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2420 wrote to memory of 1608 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2420 wrote to memory of 1608 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2420 wrote to memory of 1608 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 2420 wrote to memory of 852 N/A C:\Users\CyberEye\rat.exe C:\Windows\system32\WerFault.exe
PID 2420 wrote to memory of 852 N/A C:\Users\CyberEye\rat.exe C:\Windows\system32\WerFault.exe
PID 2420 wrote to memory of 852 N/A C:\Users\CyberEye\rat.exe C:\Windows\system32\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1101.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1101.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 1044"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\CyberEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2420 -s 1484

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.Telegram.org udp
NL 149.154.167.220:443 api.Telegram.org tcp
NL 149.154.167.220:443 api.Telegram.org tcp

Files

memory/1044-0-0x00000000011F0000-0x000000000121A000-memory.dmp

memory/1044-1-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

memory/1044-2-0x000000001B0C0000-0x000000001B140000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1101.tmp.bat

MD5 6339e8cd3eb19838956823f1a2f764bf
SHA1 f01418bbf95313dc69d47387cea5b658e64b7c3d
SHA256 0eb3f48a9ac22415744755b31bc6f8aaa6052d128d79329dd33a8fa2f294724c
SHA512 bc4cb84d6fc42ecf72e093e41aaff9f3831ee81b46a551eac80bd35ba2b9215c620f77db2580a0f7fb85cb53da1823d2fc812f2c1d99e7460e381856dba5d501

memory/1044-6-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

C:\Users\CyberEye\rat.exe

MD5 c19a5df467e2b60b230ebcf5045a3318
SHA1 a0772479a4acdc3ed21ae103adc22594fb4630f7
SHA256 03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec
SHA512 ad82cf0fa1cb1151161e7bbecc147a3bf959cd3fc9bd25a538c7e805d2885bb82e5e71f6454e7a6fcdd5468fc8538e684a163a78f3e11d594c7fe64c41578440

memory/2420-10-0x0000000000310000-0x000000000033A000-memory.dmp

memory/2420-11-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

memory/2420-12-0x000000001AF80000-0x000000001B000000-memory.dmp

memory/2420-13-0x000007FEF4B00000-0x000007FEF54EC000-memory.dmp

memory/2420-14-0x000000001AF80000-0x000000001B000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 02:59

Reported

2024-03-02 03:01

Platform

win10v2004-20240226-en

Max time kernel

85s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ToxicEye

rat trojan toxiceye

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\CyberEye\rat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\CyberEye\rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 4976 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\schtasks.exe
PID 4976 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 4976 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe C:\Windows\System32\cmd.exe
PID 2976 wrote to memory of 3412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2976 wrote to memory of 3412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2976 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2976 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2976 wrote to memory of 3816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2976 wrote to memory of 3816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2976 wrote to memory of 220 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 2976 wrote to memory of 220 N/A C:\Windows\System32\cmd.exe C:\Users\CyberEye\rat.exe
PID 220 wrote to memory of 4456 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe
PID 220 wrote to memory of 4456 N/A C:\Users\CyberEye\rat.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe

"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6E2B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6E2B.tmp.bat

C:\Windows\system32\tasklist.exe

Tasklist /fi "PID eq 4976"

C:\Windows\system32\find.exe

find ":"

C:\Windows\system32\timeout.exe

Timeout /T 1 /Nobreak

C:\Users\CyberEye\rat.exe

"rat.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 api.Telegram.org udp
NL 149.154.167.220:443 api.Telegram.org tcp
NL 149.154.167.220:443 api.Telegram.org tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
NL 149.154.167.220:443 api.Telegram.org tcp
NL 149.154.167.220:443 api.Telegram.org tcp
NL 149.154.167.220:443 api.Telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 149.154.167.220:443 api.Telegram.org tcp
NL 149.154.167.220:443 api.Telegram.org tcp
NL 149.154.167.220:443 api.Telegram.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

memory/4976-0-0x000001CF350B0000-0x000001CF350DA000-memory.dmp

memory/4976-1-0x00007FFFA11D0000-0x00007FFFA1C91000-memory.dmp

memory/4976-2-0x000001CF36DD0000-0x000001CF36DE0000-memory.dmp

memory/4976-6-0x00007FFFA11D0000-0x00007FFFA1C91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6E2B.tmp.bat

MD5 0c10abf6a996eb38921b24bd539d3c15
SHA1 a8be39850d860dfbe355f90239aaa2e103ff1e62
SHA256 c3daa502e0b2e0643a1cad374dd84d7adfe885cdbe2300ae5aae342f41a29cb9
SHA512 0220d63af9f5bc9074d97ed0c9e38d49b5228a1ecef616bf67b5ba2a85a73e1cd16b932963fdcd5ceca92a10c5b9013cd8ec02d64be7d0e7c7e358226d352fb6

C:\Users\CyberEye\rat.exe

MD5 c19a5df467e2b60b230ebcf5045a3318
SHA1 a0772479a4acdc3ed21ae103adc22594fb4630f7
SHA256 03493eea453e28386671f1c458cd5956e41c988e95ea9df371c68ea6b92d1fec
SHA512 ad82cf0fa1cb1151161e7bbecc147a3bf959cd3fc9bd25a538c7e805d2885bb82e5e71f6454e7a6fcdd5468fc8538e684a163a78f3e11d594c7fe64c41578440

memory/220-11-0x00007FFFA11D0000-0x00007FFFA1C91000-memory.dmp

memory/220-12-0x000001B553860000-0x000001B553870000-memory.dmp

memory/220-15-0x000001B553A00000-0x000001B553A0A000-memory.dmp

memory/220-14-0x000001B553860000-0x000001B553870000-memory.dmp

memory/220-17-0x000001B5539C0000-0x000001B5539D2000-memory.dmp

memory/220-20-0x000001B553860000-0x000001B553870000-memory.dmp

memory/220-44-0x00007FFFA11D0000-0x00007FFFA1C91000-memory.dmp

memory/220-45-0x000001B553860000-0x000001B553870000-memory.dmp

memory/220-46-0x000001B553860000-0x000001B553870000-memory.dmp

memory/220-47-0x000001B553860000-0x000001B553870000-memory.dmp