toxiceye | TelegramRAT[.]exe | Triage

Sharing

General

Target

TelegramRAT.exe
Size

111KB
MD5

86de4e40528fd099ae01872b6af837cf
SHA1

c616d8e3dc5643a15127dce69a327ce37a6b8ab8
SHA256

7485b221926010f27cda7f15f35a5c465558eb8c20b4fc37053850ed2b4a211a
SHA512

e9912f89c17ff6e7cd897d3256a2a4cd097090dcfee2a8dd85d98de0e618513efe8d3508cca5cbeb2711f27b4602c22cadd25f8eb1b417e7244da54a5db3a4c5
SSDEEP

1536:Y+bxQAsnqLoM91qQIwxHxZxdyyKDWfCbhDqI64QWEzCrAZuhn7Dr:PbTsnwo0RZxjQbxqH4QWEzCrAZuh/r

Score

10^/10

toxiceye

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7302074945:AAGKx5TnjPyRM_fqN4XQLd4uz-PUp4nl8w4/sendMessage?chat_id=6414125020

Signatures

Toxiceye family
toxiceye
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

TelegramRAT.exe

Files

TelegramRAT.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\devba\Downloads\ToxicEye-master\TelegramRAT\TelegramRAT\obj\Release\TelegramRAT.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ