C:\Dev\AudioSwitcher\AudioSwitcher.AudioApi\obj\Release\AudioSwitcher.AudioApi.pdb
Behavioral task
behavioral1
Sample
AudioSwitcher.AudioApi.CoreAudio.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
AudioSwitcher.AudioApi.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
Sodium.dll
Resource
win10v2004-20240426-en
General
-
Target
TelegramRAT.zip
-
Size
180KB
-
MD5
cc2bc21c47e62001401a43dd817fb22c
-
SHA1
f072bc2337121f10ff7ecd08cea78bec33be849d
-
SHA256
c5ee6af8e3d3bdf216ce505c98458fb68f13360ad6c0cf50487b6bd3f33c52f8
-
SHA512
68e39b9862865bd181c78f111f7883e1e75e589b23dced21d18f1d9bf00f41464764fe1c0ce4bb9b44186a0ec5a94ae695bad793169ddd789b59ef92f893f96e
-
SSDEEP
3072:MO6+JfRgOj0IzgDTQv7oAixWbun91oilnmIFwI0WRsV1TXXPx7Ekp3:M9+JZ7jxzgvQDovXn964mIdevx7v
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7005624592:AAFT1GroRFjOnavaa8nJipFR-iCuYT3f2xQ/sendMessage?chat_id=6235796510
Signatures
-
Toxiceye family
-
Unsigned PE 3 IoCs
Checks for missing Authenticode signature.
Processes:
resource unpack001/AudioSwitcher.AudioApi.CoreAudio.dll unpack001/AudioSwitcher.AudioApi.dll unpack001/TelegramRAT.exe
Files
-
TelegramRAT.zip.zip
-
AudioSwitcher.AudioApi.CoreAudio.dll.dll windows:4 windows x86 arch:x86
dae02f32a21e03ce65412f6e56942daa
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL
Imports
mscoree
_CorDllMain
Sections
.text Size: 73KB - Virtual size: 73KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
AudioSwitcher.AudioApi.dll.dll windows:4 windows x86 arch:x86
dae02f32a21e03ce65412f6e56942daa
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL
PDB Paths
Imports
mscoree
_CorDllMain
Sections
.text Size: 38KB - Virtual size: 37KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
Sodium.dll.dll windows:4 windows x86 arch:x86
dae02f32a21e03ce65412f6e56942daa
Code Sign
fe:67:e4:f1:5a:24:e3:c6:0d:54:7c:a0:20:c2:76:70Certificate
IssuerCN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PLNot Before08-03-2016 13:10Not After30-05-2027 13:10SubjectCN=Certum EV TSA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PLExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
6b:32:6a:0f:03:28:d3:7a:1d:53:0b:fd:23:bd:48:e2Certificate
IssuerCN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PLNot Before29-10-2015 11:30Not After09-06-2027 11:30SubjectCN=Certum Code Signing CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PLExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageCertSign
KeyUsageCRLSign
32:d4:13:46:5a:84:6b:de:66:36:8b:8a:33:82:f5:bfCertificate
IssuerCN=Certum Code Signing CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PLNot Before07-07-2016 17:27Not After07-07-2017 17:27SubjectCN=Open Source Developer\, Adam Caudill,O=Open Source Developer,C=US,1.2.840.113549.1.9.1=#0c146164616d406164616d63617564696c6c2e636f6dExtended Key Usages
ExtKeyUsageCodeSigning
Key Usages
KeyUsageDigitalSignature
b0:83:5d:ce:39:95:7b:dc:65:e9:78:8d:ff:22:7e:c0:bf:64:45:15:c7:05:78:0e:60:9d:ff:13:dc:f4:c0:a6Signer
Actual PE Digestb0:83:5d:ce:39:95:7b:dc:65:e9:78:8d:ff:22:7e:c0:bf:64:45:15:c7:05:78:0e:60:9d:ff:13:dc:f4:c0:a6Digest Algorithmsha256PE Digest MatchestrueHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL
PDB Paths
C:\Users\Adam\Documents\GitHub\libsodium-net\libsodium-net\obj\Release\Sodium.pdb
Imports
mscoree
_CorDllMain
Sections
.text Size: 52KB - Virtual size: 52KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1024B - Virtual size: 972B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
TelegramRAT.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
PDB Paths
E:\Projects\ToxicEye\TelegramRAT\TelegramRAT\obj\Release\TelegramRAT.pdb
Imports
mscoree
_CorExeMain
Sections
.text Size: 108KB - Virtual size: 108KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
TelegramRAT.exe.config.xml
-
TelegramRAT.pdb