Overview

overview

10

Static

static

10

AudioSwitc...io.dll

windows10-2004-x64

1

AudioSwitc...pi.dll

windows10-2004-x64

1

Sodium.dll

windows10-2004-x64

1

TelegramRAT.exe

windows10-2004-x64

10

TelegramRAT.exe.xml

windows10-2004-x64

1

TelegramRAT.pdb

windows10-2004-x64

3

Analysis

  • max time kernel
    73s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    119KB

  • MD5

    41bd68b9e01c2019478cb811b44cffb0

  • SHA1

    6fa177eb529a76f734361fc321854a4b0d938fad

  • SHA256

    c83adba97cd5425d70aa5f5cc452554573e61312c835e18d9d050edf84924fc5

  • SHA512

    e4134d34f2fe34f6cd630547abe82f868646d6ee72a173c90280847eaa6caad6297f94e0f285de340a90a1717e0f40bb7d2297a53c8b2395e8a74628b72f9812

  • SSDEEP

    3072:ZaztXZwwoPpqDecIIbxqH4QWVzCrAZuD4x:U1nDeBIbUk

Score
10/10
toxiceyerattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7005624592:AAFT1GroRFjOnavaa8nJipFR-iCuYT3f2xQ/sendMessage?chat_id=6235796510

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4680
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp33D1.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp33D1.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4280
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 2224"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4192
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:3108
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1928
        • C:\Users\ToxicEye\rat.exe
          "rat.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4980
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
            4⤵
            • Creates scheduled task(s)
            PID:2284

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp33D1.tmp.bat
      Filesize

      188B

      MD5

      3e4debcc3b16077a5e1ed1b115fafb36

      SHA1

      ff53fef1ed0e82f5eddfa2e22bdb336d4ebb2613

      SHA256

      0958dadf37f8b787383f34a49bdd38805bc505f9db91af9b45d5148f4713c839

      SHA512

      64f57eb496952472b7f78e86032e0be0aabb56aa7776b6f4917d466782f4bcb7f66beb9b2bab57427961180aa4607dfd45b018328adeb695c1f98b944da2db7d

      Download Submit

    • C:\Users\ToxicEye\rat.exe
      Filesize

      119KB

      MD5

      41bd68b9e01c2019478cb811b44cffb0

      SHA1

      6fa177eb529a76f734361fc321854a4b0d938fad

      SHA256

      c83adba97cd5425d70aa5f5cc452554573e61312c835e18d9d050edf84924fc5

      SHA512

      e4134d34f2fe34f6cd630547abe82f868646d6ee72a173c90280847eaa6caad6297f94e0f285de340a90a1717e0f40bb7d2297a53c8b2395e8a74628b72f9812

      Download Submit

    • memory/2224-0-0x000001F2A8B20000-0x000001F2A8B44000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2224-1-0x00007FFA4C570000-0x00007FFA4D031000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2224-2-0x000001F2C33B0000-0x000001F2C33C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2224-6-0x00007FFA4C570000-0x00007FFA4D031000-memory.dmp

      Filesize

      10.8MB

      Download