Analysis
-
max time kernel
31s -
max time network
39s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-08-2024 10:00
Errors
General
-
Target
TelegramRAT.exe
-
Size
111KB
-
MD5
86d8a483339d3ac873ae2c49db336ee8
-
SHA1
5745657762bb4a5dd51a366ddf09cee57e2ef88a
-
SHA256
3838e7e11bf662f1aa1f2ab3f253f28ae6f901b9990ea30463a5be286ecaf930
-
SHA512
60b32c56081712ebd581162d34abba2d55b2ecf917d703d62a6364b552cb58569e9cc32ede4296c5b76228520c52c1cc883d079b3f29df9afd9cf5d31912e3d8
-
SSDEEP
3072:ab4MOYUuQaS+T8sv8X31OjqOjNhOYRbxqH8QWczCrAZugjV:/YUuQaS+T8sv8X31OXNVbgP
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7530098852:AAGdvqJSNhZQt0RWkSJfG_yuTMTBKVgdCNU/sendMessage?chat_id=6686041459
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1016 rat.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3112 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1996 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3888 schtasks.exe 1324 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1016 rat.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe 1016 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 560 TelegramRAT.exe Token: SeDebugPrivilege 3112 tasklist.exe Token: SeDebugPrivilege 1016 rat.exe Token: SeDebugPrivilege 1016 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1016 rat.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 560 wrote to memory of 3888 560 TelegramRAT.exe 81 PID 560 wrote to memory of 3888 560 TelegramRAT.exe 81 PID 560 wrote to memory of 3192 560 TelegramRAT.exe 83 PID 560 wrote to memory of 3192 560 TelegramRAT.exe 83 PID 3192 wrote to memory of 3112 3192 cmd.exe 85 PID 3192 wrote to memory of 3112 3192 cmd.exe 85 PID 3192 wrote to memory of 3500 3192 cmd.exe 86 PID 3192 wrote to memory of 3500 3192 cmd.exe 86 PID 3192 wrote to memory of 1996 3192 cmd.exe 87 PID 3192 wrote to memory of 1996 3192 cmd.exe 87 PID 3192 wrote to memory of 1016 3192 cmd.exe 88 PID 3192 wrote to memory of 1016 3192 cmd.exe 88 PID 1016 wrote to memory of 1324 1016 rat.exe 90 PID 1016 wrote to memory of 1324 1016 rat.exe 90 PID 1016 wrote to memory of 3764 1016 rat.exe 96 PID 1016 wrote to memory of 3764 1016 rat.exe 96 PID 1016 wrote to memory of 700 1016 rat.exe 98 PID 1016 wrote to memory of 700 1016 rat.exe 98 PID 1016 wrote to memory of 3540 1016 rat.exe 99 PID 1016 wrote to memory of 3540 1016 rat.exe 99 PID 1016 wrote to memory of 2300 1016 rat.exe 100 PID 1016 wrote to memory of 2300 1016 rat.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3888
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp903A.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 560"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:3500
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1996
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3764
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"4⤵PID:700
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:3540
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:2300
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"4⤵PID:2760
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2972
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5abb34d7aceb8e4ba2519ea69f049fb15
SHA1472bba4689c20b1a9b2ed128e4bc584ce01ce748
SHA256e2b62a2085c67407d9d53f4e693a528700279f40f49f12afafacd967375f7caa
SHA512874d08b8d6870619d94761872d40b69909f6a807ed13499b641a9695363aff47c7d11129693d0cd39bb22fd60edb55596d410a6a5844e2a4c40095d7862a5754
-
Filesize
111KB
MD586d8a483339d3ac873ae2c49db336ee8
SHA15745657762bb4a5dd51a366ddf09cee57e2ef88a
SHA2563838e7e11bf662f1aa1f2ab3f253f28ae6f901b9990ea30463a5be286ecaf930
SHA51260b32c56081712ebd581162d34abba2d55b2ecf917d703d62a6364b552cb58569e9cc32ede4296c5b76228520c52c1cc883d079b3f29df9afd9cf5d31912e3d8