Overview

overview

10

Static

static

10

AudioSwitc...io.dll

windows10-2004-x64

1

AudioSwitc...io.dll

windows11-21h2-x64

1

AudioSwitc...pi.dll

windows10-2004-x64

1

AudioSwitc...pi.dll

windows11-21h2-x64

1

Sodium.dll

windows10-2004-x64

1

Sodium.dll

windows11-21h2-x64

1

TelegramRAT.exe

windows10-2004-x64

10

TelegramRAT.exe

windows11-21h2-x64

10

TelegramRAT.exe.xml

windows10-2004-x64

1

TelegramRAT.exe.xml

windows11-21h2-x64

1

TelegramRAT.pdb

windows10-2004-x64

3

TelegramRAT.pdb

windows11-21h2-x64

3

Analysis

  • max time kernel
    26s
  • max time network
    29s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    111KB

  • MD5

    8834c1eaf28b3b076df2a0aac5d1148e

  • SHA1

    640e70c94c0e01492c4c45cf2b23b65914a94cc5

  • SHA256

    49f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a

  • SHA512

    59c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561

  • SSDEEP

    1536:p+bvqJIP4M91qQIwzUrxxxdKy2nBfUbhDqI6CsQWVzCrAZuDZ6Dd:sbvqJe4MUlxxDrbxqHBQWVzCrAZuDQd

Score
10/10
toxiceyeransomwareratspywarestealertrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7005624592:AAFT1GroRFjOnavaa8nJipFR-iCuYT3f2xQ/sendMessage?chat_id=6235796510

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Renames multiple (254) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4856
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp31DD.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp31DD.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 3124"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:5028
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:396
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2828
        • C:\Users\Admin\rat.exe
          "rat.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\rat.exe"
            4⤵
            • Creates scheduled task(s)
            PID:3740

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Process Discovery

    1
    T1057

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7aecc611-26d7-49be-ae95-c7e71c0ec540}\0.1.filtertrie.intermediate.txt.crypted
      Filesize

      16B

      MD5

      4b63a8b6da902d17aba6043baae8fef6

      SHA1

      b89736178917de303da781aad4be703a8c43b4ac

      SHA256

      3e2e5b6dbfdb31a4d47ac9b5c41a0b63ce226b60d14f6d3c67937983259261ae

      SHA512

      11f6b3d4489a1699f015abb3dc90abc6dc418b1a3439e379451380c993628e47555da078d302cf2a5b257d2e961e448febe0012622ba8ebc21985228fb7e7097

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7aecc611-26d7-49be-ae95-c7e71c0ec540}\0.2.filtertrie.intermediate.txt.crypted
      Filesize

      16B

      MD5

      b5e7fbc99ce2cd65bc2e946e895643e5

      SHA1

      99f444d6cdbb916c92f225cd1bb829341822157d

      SHA256

      04844c82305d42c375955970552be0f4671132f2a238c75304deffa86456a309

      SHA512

      f1e1d37533e9db1b375047346d0c882e10b733e447ec9c09ea9497357717adb3734f60ccedba0c03106276c991c0dccc01410edef081f7c1c6e28516314ef1b7

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086595780251.txt.crypted
      Filesize

      77KB

      MD5

      7130187265254a909f0124b37a4bbc01

      SHA1

      66bdda2642e46149cfafbd105ee33d9ff6803180

      SHA256

      ce9e4f35282616dfa16ae8463fe97ba0445f8f2059c91c855598129b40c9bbc4

      SHA512

      b1cced85a673e5f36e17c943921285b655f8f62bb1e8291cc816a9fb0d6331fe10f210b10e9294a607e5f2706e30dfe4489b39e00fa3bdaa1186cbca863713a3

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088460765966.txt.crypted
      Filesize

      47KB

      MD5

      9fd976dbeabfafd7c405f4fcfdb06bc1

      SHA1

      972bcd96030b88062b889708a6a31fd96a44188e

      SHA256

      78ab1f7f6fb59c3c502945ca270fe8e68a7a83203192264d8b4c21d143c6fbb5

      SHA512

      879db9dc7030a58537b8fbb0badb6cb8bf5dd44240326981dffc6633bd5334f9ce093a2a28925011ba29225f45364553885723e733e276b940b1fd8dd3364c7e

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586094498261003.txt.crypted
      Filesize

      66KB

      MD5

      6d5660dd3b0489982fb07a7984f15053

      SHA1

      bde5b25ae85383a10fd40fc8e9fe7d0d082e48dd

      SHA256

      c68d605c75e6212a6e6de8cd6b74457dc675665b3cf8b8dfef200ec27c699dc3

      SHA512

      21523d0bd87b90d21dadbc249be081b93781385abcbe4f03394fd583c3ca6020d5911e311c0f2b25027dc9617a1a86fc33616276ea105796d7b2efafc1fa885e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp31DD.tmp.bat
      Filesize

      185B

      MD5

      e869df259004674046692bdabb111166

      SHA1

      334357eff7bb838183215ee5a729e0a1bf410df7

      SHA256

      f61792e80bd37ec0a4bbf944014ccfd3daefb7ecfde261ee5d0f3091d9d34426

      SHA512

      7b38f0fb4d741086ba102432fe5a6e1a081a6eb41f5f3ca48259d06168ee83d5a550f9c0745b683f0a97dd21b2023b7f70a5386bfde2a8b049a78e7526af2687

      Download Submit
    • C:\Users\Admin\rat.exe
      Filesize

      111KB

      MD5

      8834c1eaf28b3b076df2a0aac5d1148e

      SHA1

      640e70c94c0e01492c4c45cf2b23b65914a94cc5

      SHA256

      49f704606ec839fa6867a5f5f67090299b69b02dab7d352e161c8a754165de8a

      SHA512

      59c6d085818d43607ee2aef904899690a116a34f6e50978c35017d1a546964bcdfc435b7fb09bab998d4d0eacc8b614a58a55c029311d7c33473a501f4f3f561

      Download Submit
    • memory/2196-11-0x000001CEED300000-0x000001CEED3AA000-memory.dmp
      Filesize

      680KB

      Download
    • memory/2196-12-0x000001CEED430000-0x000001CEED4A6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2196-267-0x000001CEECF10000-0x000001CEED0B9000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/3124-0-0x000002279E2C0000-0x000002279E2E2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3124-7-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3124-1-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3124-2-0x00000227B88D0000-0x00000227B88E0000-memory.dmp
      Filesize

      64KB

      Download