Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 03:49
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240221-en
General
-
Target
TelegramRAT.exe
-
Size
141KB
-
MD5
3748d676147a437e12c83372fb084b17
-
SHA1
d6d7fae8acf766850ebe20d4e32882b26eb7d71b
-
SHA256
d45b164e99aed8684a4d79685278fa764be83092f1f64d1b299eb93229831cf1
-
SHA512
d09daf64c757ec7138ebc512493fba48b357a98ddf16c4c9eebd4af82a6185894032f4e936d33e323066a715d29c13552e6533f5dc16eaf7fbf86f2fe0204423
-
SSDEEP
3072:LkSfx+nPu2KiQQ7+ofe7Uoxo1bKm1/QW4aCrAZr9IhsG:Qax+nmSn7B1bZ3i
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Deletes itself 1 IoCs
pid Process 2600 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2496 rat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe 1200 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2776 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2672 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2496 rat.exe 2496 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1132 TelegramRAT.exe Token: SeDebugPrivilege 2672 tasklist.exe Token: SeDebugPrivilege 2496 rat.exe Token: SeDebugPrivilege 2496 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2496 rat.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1132 wrote to memory of 2664 1132 TelegramRAT.exe 30 PID 1132 wrote to memory of 2664 1132 TelegramRAT.exe 30 PID 1132 wrote to memory of 2664 1132 TelegramRAT.exe 30 PID 1132 wrote to memory of 2600 1132 TelegramRAT.exe 32 PID 1132 wrote to memory of 2600 1132 TelegramRAT.exe 32 PID 1132 wrote to memory of 2600 1132 TelegramRAT.exe 32 PID 2600 wrote to memory of 2672 2600 cmd.exe 34 PID 2600 wrote to memory of 2672 2600 cmd.exe 34 PID 2600 wrote to memory of 2672 2600 cmd.exe 34 PID 2600 wrote to memory of 2560 2600 cmd.exe 35 PID 2600 wrote to memory of 2560 2600 cmd.exe 35 PID 2600 wrote to memory of 2560 2600 cmd.exe 35 PID 2600 wrote to memory of 2776 2600 cmd.exe 36 PID 2600 wrote to memory of 2776 2600 cmd.exe 36 PID 2600 wrote to memory of 2776 2600 cmd.exe 36 PID 2600 wrote to memory of 2496 2600 cmd.exe 37 PID 2600 wrote to memory of 2496 2600 cmd.exe 37 PID 2600 wrote to memory of 2496 2600 cmd.exe 37 PID 2496 wrote to memory of 1200 2496 rat.exe 39 PID 2496 wrote to memory of 1200 2496 rat.exe 39 PID 2496 wrote to memory of 1200 2496 rat.exe 39 PID 2496 wrote to memory of 2508 2496 rat.exe 41 PID 2496 wrote to memory of 2508 2496 rat.exe 41 PID 2496 wrote to memory of 2508 2496 rat.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"2⤵
- Creates scheduled task(s)
PID:2664
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp2AD8.tmp.bat2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1132"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2560
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2776
-
-
C:\a\rat.exe"rat.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"4⤵
- Creates scheduled task(s)
PID:1200
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2496 -s 15084⤵PID:2508
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD58b6093d4c5d3361c39dcc6ca6ab57475
SHA1f116b744e8b9e75d2ad7532c05f1c5358c38136a
SHA25698182e51f07d07f990ceb13f96eec268a135c2a153802dfaad9f01559ebcacff
SHA512528c965bfdbd41c027b13f69ecca10e641f113a321576f2e582e4b24a3682afd48f8a74a8f7678dc29ad38767a91126e70a26f77b0f1dd7494266203eeb6b8b1
-
Filesize
141KB
MD53748d676147a437e12c83372fb084b17
SHA1d6d7fae8acf766850ebe20d4e32882b26eb7d71b
SHA256d45b164e99aed8684a4d79685278fa764be83092f1f64d1b299eb93229831cf1
SHA512d09daf64c757ec7138ebc512493fba48b357a98ddf16c4c9eebd4af82a6185894032f4e936d33e323066a715d29c13552e6533f5dc16eaf7fbf86f2fe0204423