General
-
Target
https://mega.nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0
-
Sample
240907-l6xagayeph
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0
Resource
win10v2004-20240802-en
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/sendMessage?chat_id=5597821522
Extracted
gurcu
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/sendMessage?chat_id=5597821522
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdate
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347524
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347525
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347526
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347527
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347528
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347529
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347530
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347531
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347532
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347533
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347534
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347535
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347536
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347537
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347538
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347539
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347540
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347541
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/getUpdates?offset=71347542
https://api.telegram.org/bot7313933025:AAHouyLOfu1tAXngtnciu-autL9gI2FqI-I/sendDocument?chat_id=559782152
Targets
-
-
Target
https://mega.nz/file/8jVhQAhC#ODXNzG4x8v3YT9b76ZytNrFdz4zBOX7t4ANzja-Akw0
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2