Overview

overview

10

Static

static

10

TelegramRAT.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    15s
  • max time network
    17s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-fr
  • resource tags

    arch:x64arch:x86image:win10-20240404-frlocale:fr-fros:windows10-1703-x64systemwindows
  • submitted
    11-09-2024 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    111KB

  • MD5

    025bf19e446008b4c106c0a7902d0642

  • SHA1

    adfd46ffc2ed0d222300a14b44a3dc12501afc2d

  • SHA256

    57fc2aa26b8201492d155bf05feb116cd0dc014731b62c3037c6fbfcd9f164f0

  • SHA512

    ba105aad1638dbee0dd055a2fe558dba7da6c8561644fb4d4e2446d72b01f55eaaf61c024010b430fb0d76ebf89363217e329e366831a340944848f7498625fe

  • SSDEEP

    1536:s+beLszyDM91qQIw5dxZxdyyKDWfCbhDqI6jQWCzCrAZuWXWDz:DbeLs2D8LZxjQbxqHjQWCzCrAZuW6z

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7514641915:AAFzogNbQamJYUwX_0HIALzpEmh0fhPZ-6o/sendMessage?chat_id=4545912113

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\svhost\Windows Defender Notification.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4092
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp6B8B.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp6B8B.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 2132"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2208
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4432
        • C:\Users\svhost\Windows Defender Notification.exe
          "Windows Defender Notification.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5116
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\svhost\Windows Defender Notification.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp6B8B.tmp.bat
      Filesize

      212B

      MD5

      fdf4341326720c30b2d0078c8a3ea211

      SHA1

      f4778883cbb30645ff03d215dfdec74211161bd7

      SHA256

      6e749203947afdac27c4a6216d1e69e9137138d1fa43770c320b828c25718cda

      SHA512

      32f3bea752c98474fb60531abec98c2ecac18523f03b4c9a01baf447943175d55208cbe394417cb6269868c7ed0ccd09e74d0411aab784448e604aded8304da6

      Download Submit

    • C:\Users\svhost\Windows Defender Notification.exe
      Filesize

      111KB

      MD5

      025bf19e446008b4c106c0a7902d0642

      SHA1

      adfd46ffc2ed0d222300a14b44a3dc12501afc2d

      SHA256

      57fc2aa26b8201492d155bf05feb116cd0dc014731b62c3037c6fbfcd9f164f0

      SHA512

      ba105aad1638dbee0dd055a2fe558dba7da6c8561644fb4d4e2446d72b01f55eaaf61c024010b430fb0d76ebf89363217e329e366831a340944848f7498625fe

      Download Submit

    • memory/2132-0-0x00007FFAF00B3000-0x00007FFAF00B4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2132-1-0x000001B3D2EE0000-0x000001B3D2F02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2132-2-0x00007FFAF00B0000-0x00007FFAF0A9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2132-6-0x00007FFAF00B0000-0x00007FFAF0A9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/5116-11-0x0000019877300000-0x0000019877342000-memory.dmp

      Filesize

      264KB

      Download

    • memory/5116-12-0x00000198774E0000-0x00000198775E2000-memory.dmp

      Filesize

      1.0MB

      Download