Overview

overview

10

Static

static

10

TelegramRAT.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    434s
  • max time network
    1159s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-12-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    121KB

  • MD5

    117a350a0991d312d62eea33933f4f9b

  • SHA1

    3c4c2b9608bdf3b7e477cef26e12721187fb5558

  • SHA256

    a52f043910c50f8d250162379935316f63db792bf9824afd5dc326e12676a089

  • SHA512

    d09e19366b912189415c3eb8ca427afedbcd3baca280b33bad5e6817ec5ec01f09e4b9d5be32e63694a48c55bd962099182af64a34dbe2615fdb82963c497809

  • SSDEEP

    3072:/ItZ1HOSJAwncZ+5OG3wy+pKbxqHLQWHzCrAZuaNu:Lx+AG3wtKbg3

Score
10/10
toxiceyediscoveryratspywarestealertrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7677893184:AAE0-PsPfzGgNiPGIk585ulPgzKriWDrM10/sendMessage?chat_id=7494459853

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Toxiceye family
    toxiceye
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:104
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "System Event Notification Service Host" /tr "C:\Users\Static\NTUSER.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3484
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp8666.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp8666.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:464
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 104"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4808
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:4364
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:3248
        • C:\Users\Static\NTUSER.exe
          "NTUSER.exe"
          3⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "System Event Notification Service Host" /tr "C:\Users\Static\NTUSER.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2848
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c \run_import_Invoke-AmsiBypass.ps1
            4⤵
              PID:4888
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c .\run_import_Invoke-AmsiBypass.ps1
              4⤵
                PID:4644
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                4⤵
                • Modifies registry class
                PID:4248
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                4⤵
                • Modifies registry class
                PID:1528
              • C:\Windows\explorer.exe
                "C:\Windows\explorer.exe"
                4⤵
                • Modifies registry class
                PID:2824
              • C:\Windows\System32\calc.exe
                "C:\Windows\System32\calc.exe"
                4⤵
                • Modifies registry class
                PID:4772
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1472
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:2124

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp8666.tmp.bat
          Filesize

          188B

          MD5

          994d3e69813cab5335633452e02b402d

          SHA1

          767a74a2438b446b3025c91684430c9845554df7

          SHA256

          837a023237c38243c7ef3fd0e9dc01dfbcb02ca4a64c50e6a3c7408c7192170b

          SHA512

          a3f7cc7f0c23dfcea3c86b9ebe5adc914dad1211dae6473b81bd68157445cb2d139c3e416594fcacd95ac8396509554a97500910c2d16b3752b391831c8ed365

          Download Submit

        • C:\Users\Static\NTUSER.exe
          Filesize

          121KB

          MD5

          117a350a0991d312d62eea33933f4f9b

          SHA1

          3c4c2b9608bdf3b7e477cef26e12721187fb5558

          SHA256

          a52f043910c50f8d250162379935316f63db792bf9824afd5dc326e12676a089

          SHA512

          d09e19366b912189415c3eb8ca427afedbcd3baca280b33bad5e6817ec5ec01f09e4b9d5be32e63694a48c55bd962099182af64a34dbe2615fdb82963c497809

          Download Submit

        • memory/104-0-0x00007FFBB1873000-0x00007FFBB1875000-memory.dmp

          Filesize

          8KB

          Download

        • memory/104-1-0x0000023ABEBC0000-0x0000023ABEBE4000-memory.dmp

          Filesize

          144KB

          Download

        • memory/104-2-0x00007FFBB1870000-0x00007FFBB2332000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/104-6-0x00007FFBB1870000-0x00007FFBB2332000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3020-11-0x000001A55C4A0000-0x000001A55C54A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3020-12-0x000001A55C5D0000-0x000001A55C646000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3020-23-0x000001A55C180000-0x000001A55C18A000-memory.dmp

          Filesize

          40KB

          Download