Overview

overview

10

Static

static

10

TelegramRAT.exe

windows11-21h2-x64

Analysis

  • max time kernel
    31s
  • max time network
    39s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-08-2024 10:00

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    111KB

  • MD5

    86d8a483339d3ac873ae2c49db336ee8

  • SHA1

    5745657762bb4a5dd51a366ddf09cee57e2ef88a

  • SHA256

    3838e7e11bf662f1aa1f2ab3f253f28ae6f901b9990ea30463a5be286ecaf930

  • SHA512

    60b32c56081712ebd581162d34abba2d55b2ecf917d703d62a6364b552cb58569e9cc32ede4296c5b76228520c52c1cc883d079b3f29df9afd9cf5d31912e3d8

  • SSDEEP

    3072:ab4MOYUuQaS+T8sv8X31OjqOjNhOYRbxqH8QWczCrAZugjV:/YUuQaS+T8sv8X31OXNVbgP

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7530098852:AAGdvqJSNhZQt0RWkSJfG_yuTMTBKVgdCNU/sendMessage?chat_id=6686041459

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3888
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 560"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3112
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:3500
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:1996
        • C:\Users\ToxicEye\rat.exe
          "rat.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1324
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:3764
            • C:\Windows\System32\notepad.exe
              "C:\Windows\System32\notepad.exe"
              4⤵
                PID:700
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                4⤵
                  PID:3540
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  4⤵
                    PID:2300
                  • C:\Windows\System32\calc.exe
                    "C:\Windows\System32\calc.exe"
                    4⤵
                      PID:2760
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                1⤵
                  PID:2972
                • C:\Windows\system32\OpenWith.exe
                  C:\Windows\system32\OpenWith.exe -Embedding
                  1⤵
                    PID:4832

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.bat
                    Filesize

                    187B

                    MD5

                    abb34d7aceb8e4ba2519ea69f049fb15

                    SHA1

                    472bba4689c20b1a9b2ed128e4bc584ce01ce748

                    SHA256

                    e2b62a2085c67407d9d53f4e693a528700279f40f49f12afafacd967375f7caa

                    SHA512

                    874d08b8d6870619d94761872d40b69909f6a807ed13499b641a9695363aff47c7d11129693d0cd39bb22fd60edb55596d410a6a5844e2a4c40095d7862a5754

                    Download Submit

                  • C:\Users\ToxicEye\rat.exe
                    Filesize

                    111KB

                    MD5

                    86d8a483339d3ac873ae2c49db336ee8

                    SHA1

                    5745657762bb4a5dd51a366ddf09cee57e2ef88a

                    SHA256

                    3838e7e11bf662f1aa1f2ab3f253f28ae6f901b9990ea30463a5be286ecaf930

                    SHA512

                    60b32c56081712ebd581162d34abba2d55b2ecf917d703d62a6364b552cb58569e9cc32ede4296c5b76228520c52c1cc883d079b3f29df9afd9cf5d31912e3d8

                    Download Submit

                  • memory/560-0-0x00007FFE30A53000-0x00007FFE30A55000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/560-1-0x000001BD60E40000-0x000001BD60E62000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/560-2-0x00007FFE30A50000-0x00007FFE31512000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/560-7-0x00007FFE30A50000-0x00007FFE31512000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1016-11-0x0000020A78420000-0x0000020A78496000-memory.dmp

                    Filesize

                    472KB

                    Download

                  • memory/1016-12-0x0000020A78550000-0x0000020A785FA000-memory.dmp

                    Filesize

                    680KB

                    Download