Analysis Overview
SHA256
d33e97596d19884faf2d19e3c33799bff12a790062e98522ff30db4236ff170b
Threat Level: Known bad
The file TelegramRAT.exe was found to be: Known bad.
Malicious Activity Summary
ToxicEye
Toxiceye family
Executes dropped EXE
Deletes itself
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-02 03:14
Signatures
Toxiceye family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 03:14
Reported
2024-03-02 03:17
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
ToxicEye
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp78D8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp78D8.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 2320"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\CyberEye\rat.exe
"rat.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2604 -s 1584
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.Telegram.org | udp |
| NL | 149.154.167.220:443 | api.Telegram.org | tcp |
| NL | 149.154.167.220:443 | api.Telegram.org | tcp |
Files
memory/2320-0-0x0000000001090000-0x00000000010BA000-memory.dmp
memory/2320-1-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp
memory/2320-2-0x000000001B010000-0x000000001B090000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp78D8.tmp.bat
| MD5 | d83308c0c1dfe50749a90a4dafc23cd8 |
| SHA1 | c7d6884b7041692ab6394d92963ac9bd67b5691b |
| SHA256 | 2f282e046a4d348b89c3ab94d959c3d7cf0eb3ad0f2b367d003fdba60c141044 |
| SHA512 | 8e35d85d45927549c18bf5e5c20fca40ad10c194abefd1839544f5284989c04cd46f9abcbcf430f2d1b9d95f0fbe89baabaa4ce84c69f2e551a63886121775c5 |
memory/2320-6-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp
C:\Users\CyberEye\rat.exe
| MD5 | ed2c7bc269dac9dd4478f1dc773de9f6 |
| SHA1 | a2bf4318a949329308799ccfc3d2379acf304d77 |
| SHA256 | d33e97596d19884faf2d19e3c33799bff12a790062e98522ff30db4236ff170b |
| SHA512 | afeda67797e52f3fe873f8da0454028bcb3eed09b39596c69333cf09b79c91161add4f7b6992078a114abb2190e4e4f0fa98da83748fcf20cd07ce27bbc73b46 |
memory/2604-10-0x0000000000E40000-0x0000000000E6A000-memory.dmp
memory/2604-11-0x000007FEF4BE0000-0x000007FEF55CC000-memory.dmp
memory/2604-12-0x000000001B140000-0x000000001B1C0000-memory.dmp
memory/2604-13-0x000007FEF4BE0000-0x000007FEF55CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 03:14
Reported
2024-03-02 03:17
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
ToxicEye
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\CyberEye\rat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\CyberEye\rat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp738A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp738A.tmp.bat
C:\Windows\system32\tasklist.exe
Tasklist /fi "PID eq 752"
C:\Windows\system32\find.exe
find ":"
C:\Windows\system32\timeout.exe
Timeout /T 1 /Nobreak
C:\Users\CyberEye\rat.exe
"rat.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.Telegram.org | udp |
| NL | 149.154.167.220:443 | api.Telegram.org | tcp |
| NL | 149.154.167.220:443 | api.Telegram.org | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/752-0-0x0000025D266F0000-0x0000025D2671A000-memory.dmp
memory/752-1-0x00007FFC95730000-0x00007FFC961F1000-memory.dmp
memory/752-2-0x0000025D40C00000-0x0000025D40C10000-memory.dmp
memory/752-6-0x00007FFC95730000-0x00007FFC961F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp738A.tmp.bat
| MD5 | 59b35f0c172b331b7068f073f65c3b4d |
| SHA1 | 3a5908f9e35ec6144a99fda6709c250c1830338d |
| SHA256 | b16d91dd1d59881a4716d51a21745976ec545c16f86da5e4f7178c7e6aea8f83 |
| SHA512 | 507a366eacf9695c1e637701f247cd06ab3cc10c510c476f406e690a2b76b3d7bfe6258ce29c24ddbe78e4b0937b8263867a0b7c436e3cbdd2eda18b6d041ba9 |
C:\Users\CyberEye\rat.exe
| MD5 | ed2c7bc269dac9dd4478f1dc773de9f6 |
| SHA1 | a2bf4318a949329308799ccfc3d2379acf304d77 |
| SHA256 | d33e97596d19884faf2d19e3c33799bff12a790062e98522ff30db4236ff170b |
| SHA512 | afeda67797e52f3fe873f8da0454028bcb3eed09b39596c69333cf09b79c91161add4f7b6992078a114abb2190e4e4f0fa98da83748fcf20cd07ce27bbc73b46 |
memory/3228-11-0x00007FFC95600000-0x00007FFC960C1000-memory.dmp
memory/3228-12-0x000001D01B430000-0x000001D01B440000-memory.dmp
memory/3228-15-0x000001D01B8C0000-0x000001D01B8CA000-memory.dmp
memory/3228-16-0x00007FFC95600000-0x00007FFC960C1000-memory.dmp