Analysis
-
max time kernel
93s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 03:49
Behavioral task
behavioral1
Sample
TelegramRAT.exe
Resource
win7-20240221-en
General
-
Target
TelegramRAT.exe
-
Size
141KB
-
MD5
3748d676147a437e12c83372fb084b17
-
SHA1
d6d7fae8acf766850ebe20d4e32882b26eb7d71b
-
SHA256
d45b164e99aed8684a4d79685278fa764be83092f1f64d1b299eb93229831cf1
-
SHA512
d09daf64c757ec7138ebc512493fba48b357a98ddf16c4c9eebd4af82a6185894032f4e936d33e323066a715d29c13552e6533f5dc16eaf7fbf86f2fe0204423
-
SSDEEP
3072:LkSfx+nPu2KiQQ7+ofe7Uoxo1bKm1/QW4aCrAZr9IhsG:Qax+nmSn7B1bZ3i
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7040511851:AAEjBKSxADGWlNtLxaKpotGtf53NUQ1UgAo/sendMessage?chat_id=6226815698
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation rat.exe -
Executes dropped EXE 1 IoCs
pid Process 3304 rat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 38 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4028 schtasks.exe 1924 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1196 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1876 tasklist.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4904 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3304 rat.exe 3304 rat.exe 3304 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1144 TelegramRAT.exe Token: SeDebugPrivilege 1876 tasklist.exe Token: SeDebugPrivilege 3304 rat.exe Token: SeDebugPrivilege 3304 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3304 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1144 wrote to memory of 4028 1144 TelegramRAT.exe 92 PID 1144 wrote to memory of 4028 1144 TelegramRAT.exe 92 PID 1144 wrote to memory of 1580 1144 TelegramRAT.exe 94 PID 1144 wrote to memory of 1580 1144 TelegramRAT.exe 94 PID 1580 wrote to memory of 1876 1580 cmd.exe 96 PID 1580 wrote to memory of 1876 1580 cmd.exe 96 PID 1580 wrote to memory of 1612 1580 cmd.exe 97 PID 1580 wrote to memory of 1612 1580 cmd.exe 97 PID 1580 wrote to memory of 1196 1580 cmd.exe 98 PID 1580 wrote to memory of 1196 1580 cmd.exe 98 PID 1580 wrote to memory of 3304 1580 cmd.exe 100 PID 1580 wrote to memory of 3304 1580 cmd.exe 100 PID 3304 wrote to memory of 1924 3304 rat.exe 103 PID 3304 wrote to memory of 1924 3304 rat.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"2⤵
- Creates scheduled task(s)
PID:4028
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3C7C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp3C7C.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 1144"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:1612
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1196
-
-
C:\a\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\a\rat.exe"4⤵
- Creates scheduled task(s)
PID:1924
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4072
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\a\bookmarks.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD5fff8b77e88f59f6f4c92cebd4f9f3443
SHA12c0219551237ed8ac1169160e9dc2fb6f7821390
SHA256bf7a03a2547ed63a815b32bccc575d4440e28f39af7b9fbe1ac13e8aab33da02
SHA51245bfc4891cb0a9e1dc751dd1bbbfb2e392b69a114c1dcc1d19e4666d305d5e29c9300bcf01ff4fa87c7c6d0978b560b7b8b412823c7469cb22793e04bd0d4b4b
-
Filesize
13B
MD561f8a15f0bf3ef90a36796b6cbb7b105
SHA19a0893ee4bfb0e58c64902fc4da215dcbec12e3f
SHA256678150f8aa675320e486b135418a7ed5b546514a5aa808588eccc12fe8cd2130
SHA5125afb5a40e95b289db50db7aa151a5a526ef04824533fccd0ad3d6ea813cc5621b8009521d7f5db69fbcb1a46640e963427fd6b42721df26f1fbfc89f59a8abab
-
Filesize
141KB
MD53748d676147a437e12c83372fb084b17
SHA1d6d7fae8acf766850ebe20d4e32882b26eb7d71b
SHA256d45b164e99aed8684a4d79685278fa764be83092f1f64d1b299eb93229831cf1
SHA512d09daf64c757ec7138ebc512493fba48b357a98ddf16c4c9eebd4af82a6185894032f4e936d33e323066a715d29c13552e6533f5dc16eaf7fbf86f2fe0204423