Overview

overview

10

Static

static

10

TelegramRAT.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    17s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-fr
  • resource tags

    arch:x64arch:x86image:win10-20240404-frlocale:fr-fros:windows10-1703-x64systemwindows
  • submitted
    11-09-2024 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    111KB

  • MD5

    5937dd288b0505109a6848fbc5f21265

  • SHA1

    06716e8152c903b0ac6a96ea9f34b9a670bfea65

  • SHA256

    24d7a1d54d63be2e2f54348ec4c0845812e153309db6ab16d064921dbc1f5047

  • SHA512

    739c69cafbaa43a5515fa18997b68601ac07af9d265c63d20c81ef7bdf1ebe8c9413eefc3fd5f368534e3dc482af9ed5927a56eef1497d185c35ba99ec8c8289

  • SSDEEP

    1536:U+bNLszyDM91qQIw5dxZxdyyKDWfCbhDqI6jQWCzCrAZuWPWDR:bbNLs2D8LZxjQbxqHjQWCzCrAZuWyR

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7514641915:AAFzogNbQamJYUwX_0HIALzpEmh0fhPZ-6o/sendMessage?chat_id=4545912113

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\svhost\Windows Defender Notification.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2772
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp59B9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp59B9.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 1008"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:5100
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:3896
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4600
        • C:\Users\svhost\Windows Defender Notification.exe
          "Windows Defender Notification.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\svhost\Windows Defender Notification.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1148
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp59B9.tmp.bat
      Filesize

      212B

      MD5

      b0b6880d4bde998960b5200ed30ba52a

      SHA1

      442b531f310240505d1e6993fdcd68e8b2ee4a0c

      SHA256

      25f6e342cf173e9f592f4f24145381ff794bf14513e9afc0d0d21f8b64dd2bea

      SHA512

      113ea129912503f67a57b1fde916ae2849f117bf2f2e38b01c16b8f8900e3de5324ae67e2e0b88e6ba3d901ef791b50faa8b07b155d70970c4003065f4c4ff87

      Download Submit

    • C:\Users\svhost\Windows Defender Notification.exe
      Filesize

      111KB

      MD5

      5937dd288b0505109a6848fbc5f21265

      SHA1

      06716e8152c903b0ac6a96ea9f34b9a670bfea65

      SHA256

      24d7a1d54d63be2e2f54348ec4c0845812e153309db6ab16d064921dbc1f5047

      SHA512

      739c69cafbaa43a5515fa18997b68601ac07af9d265c63d20c81ef7bdf1ebe8c9413eefc3fd5f368534e3dc482af9ed5927a56eef1497d185c35ba99ec8c8289

      Download Submit

    • memory/1008-0-0x00007FFF837B3000-0x00007FFF837B4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1008-1-0x0000017C29CA0000-0x0000017C29CC2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1008-2-0x00007FFF837B0000-0x00007FFF8419C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1008-6-0x00007FFF837B0000-0x00007FFF8419C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1580-17-0x000001FC40100000-0x000001FC40142000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1580-18-0x000001FC40260000-0x000001FC40362000-memory.dmp

      Filesize

      1.0MB

      Download