Overview

overview

10

Static

static

10

TelegramRAT.exe

windows7-x64

10

TelegramRAT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 22:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    111KB

  • MD5

    86de4e40528fd099ae01872b6af837cf

  • SHA1

    c616d8e3dc5643a15127dce69a327ce37a6b8ab8

  • SHA256

    7485b221926010f27cda7f15f35a5c465558eb8c20b4fc37053850ed2b4a211a

  • SHA512

    e9912f89c17ff6e7cd897d3256a2a4cd097090dcfee2a8dd85d98de0e618513efe8d3508cca5cbeb2711f27b4602c22cadd25f8eb1b417e7244da54a5db3a4c5

  • SSDEEP

    1536:Y+bxQAsnqLoM91qQIwxHxZxdyyKDWfCbhDqI64QWEzCrAZuhn7Dr:PbTsnwo0RZxjQbxqH4QWEzCrAZuh/r

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7302074945:AAGKx5TnjPyRM_fqN4XQLd4uz-PUp4nl8w4/sendMessage?chat_id=6414125020

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
    adwarespyware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1904
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpDB80.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpDB80.tmp.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 1512"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2896
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2700
        • C:\Users\ToxicEye\rat.exe
          "rat.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2072
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2708 -s 1612
            4⤵
              PID:2792
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3044
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:275457 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3024

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        b895adb1c3530f9100eb0607b87fba84

        SHA1

        5374424079600c25e506b0b5ec25bd671a8beff2

        SHA256

        9a27c1a6ee663d3cd7690d7ce2f23c17659fcfe28bef73fa1a40ec78ac227e78

        SHA512

        2e508449d0457c45358f49c95020e8d0a77fdf9aae8db0d840457caa99bc05ba6d0e03813eabfcc0a229b6a726aeb1c8aa3d3ceccb066533a8cd524f7f3aa855

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        56b8588b3248ebda55c30d80e91e8db7

        SHA1

        62140d4d528ffc7d7e2dd92eb121a17209a475a9

        SHA256

        f5c1ccde42b51b08380e8129fbec96ed31aeef186f6ea19821886f258609d250

        SHA512

        860e2faa9dcd1dc79bd74ad1a948ddbe57850ce5442ad4dbbc76bce9a940904437d00ed51254229cd9d4fd3ec2c13d8f066660ca60e74352dfb1fd051d91f643

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        d7bc951b8e0b487ea5103a423452891e

        SHA1

        50120d941e59827a86a021337cf985958b953153

        SHA256

        ecba65e63e91d0efce87787708b819407defbb2d62353ea87b0402b09440771b

        SHA512

        1d50dbff034f4cc6359ee79818a4e6b8fe348e3b09239800873c0ff4a83715359493f3e818b6533a24372076c3eb1e3d0dbe745dd3dde209b4ecde9153563da6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        a0b15dfe2d2245653c34999c55fde866

        SHA1

        f3cb1ea704296c031eba700dc5873a45ace7d3df

        SHA256

        9e20006b0a8d38925cc3180561e9258a7532dad8598f2131517a1cda3f331fbd

        SHA512

        aec77a87706d907e5bb1cb6f2a7068c19495ace9da5e324332a494a90abcc765f97579281c938f764da1b5a835999150ac97d4a400a4efaa48fa3cec7696c0e4

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        f44fd7bcbf4ab481485e967c146a35b2

        SHA1

        eff5c4fb3fbefa192a336334eb1a60069a478d10

        SHA256

        fde41bc7821ef2c38fe7e3d024fb79706b35ce6d1c90fc174f5223d093fafda3

        SHA512

        2676da52b9ae4e60c0baab1ad2c61a1c5831eab4526c529d356eb4e5e449460619f3dff3a40d2673b9cfefd9ad67c41371b75443f97afffe25be97ee8862c9ba

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        66588edef9b0816dc2df235f6f50f26a

        SHA1

        d412beddcd9cf1374d5f8c5edb076b8304a80f34

        SHA256

        26200b20f7006ae5ddb183d107d2af70dcfa566795526657f6d07e478742e4f3

        SHA512

        b47d97bbdf520f235136894993d97f12af6223a173a50b55584ea47a0bb122cff972fdb1a000b16fc35f317cc1a44e25bc26da0eedd6e06ff86007965d98ce0e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        681dee1343a6a987ae6cb5e8d1302854

        SHA1

        6470d826842c0c77841597fb76741be63220ad79

        SHA256

        e362b9a0dcbd2a788c29509fc1fb154d2e0e14651324eb71f32901423c02a3f6

        SHA512

        3d06ddc83687a686270d2c0bccdf57c5320424838e3513dd270d29aaf9d882d86d690689e2e41aad7d39de3fcdb79a56d306f3c15828b7b72d9aceb01c75ad81

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        7e53f1e1d5015e23b5c0deeaf4c7879d

        SHA1

        6556f1223db3d20658d234271a21d9dc72cd9856

        SHA256

        43f976e9f54be6e199605b335ffc9559067902bc60fe095e6d4a52e296b95793

        SHA512

        37fac1e3029fcf4125b6bb1fd748a7fa1212668bc4666cb0b1bfb16a3664d4e17e41ddcadcbb64f2f6b0eacb169ac6b4b1cc86ec0ed9f0305ccb010fdefd279a

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        92c99eced7df1ee2f9e4dfc838487e3d

        SHA1

        91e60a550d8909125632bf59077b93044d2817e5

        SHA256

        96d17ce6fb6d5c0f0c4b6d258c16143aac5663d246bee4b541422891addc3357

        SHA512

        d6cd0aaaaf3ecc929943d06bbed04854da9d5e2925ddac755e582929a5b9c0ea20f1d81e686d0e6763ec4f7561dc6a10e91948b5a8339e6ce276673227d6ee20

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B612DDB1-5C1F-11EF-A251-667598992E52}.dat
        Filesize

        4KB

        MD5

        fce0db9005d585353a150b7bfb2f731f

        SHA1

        f80e8a3eadf4fcea0db2d7ef5015ae65dc2bf391

        SHA256

        d751824ea1fb895ccaa921ccd141aeb71d5ffe1e64881b04ac7dada1722b2524

        SHA512

        0cc0d92b9fc48d0874bb374e1d2f89f0a513319cb358713175f7fc6701445dbe84220db72ce2b7e377292a39984fcdd2fcdc13ee38d829f8a50440f6e6cb0ff3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B61304C1-5C1F-11EF-A251-667598992E52}.dat
        Filesize

        5KB

        MD5

        9359f4d7a726d9f6b8ffd5ff227620c0

        SHA1

        a1dd3ee46ecf81fd668d6d39c7008eb99671dcdd

        SHA256

        2f3333dc98f0ab344d69659def855473d43fd6fa09354e5335174a3d3502dde0

        SHA512

        3de460c28fa8c8cfde5a4f9674c8bf70dd426027c7af0756ef26b37f00fa796d67a6b7b61ccd1fe99c7022f2f46b098dd22a3ab3938141a6c08183cdac3472d7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab9934.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar9A04.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpDB80.tmp.bat
        Filesize

        188B

        MD5

        595682210c0ca42bfeb385a0d0ee03ca

        SHA1

        00be1b34d19f2e04e572d8ce421acbd9ceac7eb8

        SHA256

        2077c8bac2919054e256d61475506ad7e2c05333d32454ef44027fce10909753

        SHA512

        810595451edb71db440a26dd2d3b01790790a04bfb88d1644417311753507c95b58df5e4172792d74d2be919d8062d9386e9850ccef07ee82f4a6bcfd29b1721

        Download Submit

      • C:\Users\ToxicEye\rat.exe
        Filesize

        111KB

        MD5

        86de4e40528fd099ae01872b6af837cf

        SHA1

        c616d8e3dc5643a15127dce69a327ce37a6b8ab8

        SHA256

        7485b221926010f27cda7f15f35a5c465558eb8c20b4fc37053850ed2b4a211a

        SHA512

        e9912f89c17ff6e7cd897d3256a2a4cd097090dcfee2a8dd85d98de0e618513efe8d3508cca5cbeb2711f27b4602c22cadd25f8eb1b417e7244da54a5db3a4c5

        Download Submit

      • memory/1512-0-0x000007FEF59B3000-0x000007FEF59B4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1512-6-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1512-2-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1512-1-0x0000000000340000-0x0000000000362000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2708-10-0x00000000011A0000-0x00000000011C2000-memory.dmp

        Filesize

        136KB

        Download