Overview

overview

10

Static

static

10

TelegramRAT.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    91s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31-08-2024 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    119KB

  • MD5

    744a6669adfa8bce81e4597c2319e6c7

  • SHA1

    231e577bebe54c02da09d4cc9edaad4788b9ffdd

  • SHA256

    6c6bcda804f70c873780eaa7554011f89240ef5e20eb394ea9adf022d0987382

  • SHA512

    1c2739e9339c82012077a9ca53bacd60c7db24bbec2be3eeea99eff61bc32f0f98364d2f8470de3cad0df4eb0a3f27d9640a5d17fd0394c7203c2f371663df62

  • SSDEEP

    3072:F5LSptv0JOaqSj6O+H/bxqHoQWAzCrAZuSGn:r8eqg6n/bgL

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7082907700:AAFNviPXrHpaY6TWoCY2VClJln9DSSJ0vGE/sendMessage?chat_id=5590583541

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\jestemgejem.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1384
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCA35.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCA35.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 1700"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:760
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2960
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:2468
        • C:\Users\Admin\AppData\Local\jestemgejem.exe
          "jestemgejem.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4716
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\jestemgejem.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2820
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:2892
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe"
              4⤵
                PID:240
              • C:\Windows\System32\calc.exe
                "C:\Windows\System32\calc.exe"
                4⤵
                  PID:1200
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe"
                  4⤵
                    PID:1580
                  • C:\Windows\explorer.exe
                    "C:\Windows\explorer.exe"
                    4⤵
                      PID:3044
                    • C:\Windows\explorer.exe
                      "C:\Windows\explorer.exe"
                      4⤵
                        PID:4912
                      • C:\Windows\System32\calc.exe
                        "C:\Windows\System32\calc.exe"
                        4⤵
                          PID:2544
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe"
                          4⤵
                            PID:3060
                          • C:\Windows\System32\notepad.exe
                            "C:\Windows\System32\notepad.exe"
                            4⤵
                              PID:232
                            • C:\Windows\System32\notepad.exe
                              "C:\Windows\System32\notepad.exe"
                              4⤵
                                PID:5036
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                          1⤵
                            PID:4848
                          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:3348
                          • C:\Windows\system32\OpenWith.exe
                            C:\Windows\system32\OpenWith.exe -Embedding
                            1⤵
                              PID:4536
                            • C:\Windows\system32\OpenWith.exe
                              C:\Windows\system32\OpenWith.exe -Embedding
                              1⤵
                                PID:1020

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                                Filesize

                                10KB

                                MD5

                                06f54da138064bcb87a50ea5796be0bc

                                SHA1

                                149614dcc0cc8a15d12e042639d53d364b692f5a

                                SHA256

                                fd00cc98658581a6d166ce94e14f68079c4a2948db69e5ac60755ac8c50c1f50

                                SHA512

                                530073a003f19a93945cc2d663cd395744c98b3d8377ed6fbc237be0b42b7ec23544fe149435e3d5d47b8d385c2a9bd1e2605222bbe2df0d3233edf10550202d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                                Filesize

                                10KB

                                MD5

                                2464a58269a134f2979060e336390b5c

                                SHA1

                                31d3185eb35ec0ccc4ad52f5cf0e278183315dbd

                                SHA256

                                554d683b35a8120871871ef5733e307f50400a424889bc1caf8b4375fd3bfc00

                                SHA512

                                9d93b63d2e7d55fe88bf6023db7f2c4581ebd9b03e2a17abe39b381eee19ca71e5f2bf85f19b022afe06936d2089ef1c5eeee0607ac3f8d1e1657560afb8666d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\tmpCA35.tmp.bat
                                Filesize

                                207B

                                MD5

                                1696c3527cf6add530d9ea1cc11d09f2

                                SHA1

                                3509abc1b20b21aa280736dfb2060bc4f0bea731

                                SHA256

                                4dfb762aafe14e7b64a522e0d442745dfa053969e28565d3f78b26c7b3656d89

                                SHA512

                                846e7f3d81d6715e13b22775283eb429a9807fe9ed2a4fce7a39354d0eefad18d61128c9097c923930cf96089398a56faae0a9ad9cb0025cb2049f9fae4a500d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\jestemgejem.exe
                                Filesize

                                119KB

                                MD5

                                744a6669adfa8bce81e4597c2319e6c7

                                SHA1

                                231e577bebe54c02da09d4cc9edaad4788b9ffdd

                                SHA256

                                6c6bcda804f70c873780eaa7554011f89240ef5e20eb394ea9adf022d0987382

                                SHA512

                                1c2739e9339c82012077a9ca53bacd60c7db24bbec2be3eeea99eff61bc32f0f98364d2f8470de3cad0df4eb0a3f27d9640a5d17fd0394c7203c2f371663df62

                                Download Submit

                              • memory/1700-0-0x00007FF9132B3000-0x00007FF9132B5000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/1700-1-0x000001B9CD090000-0x000001B9CD0B4000-memory.dmp

                                Filesize

                                144KB

                                Download

                              • memory/1700-2-0x00007FF9132B0000-0x00007FF913D72000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/1700-6-0x00007FF9132B0000-0x00007FF913D72000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4716-30-0x00000282E91D0000-0x00000282E927A000-memory.dmp

                                Filesize

                                680KB

                                Download

                              • memory/4716-31-0x00000282E9300000-0x00000282E9376000-memory.dmp

                                Filesize

                                472KB

                                Download