Overview

overview

10

Static

static

10

TelegramRAT.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    05/01/2025, 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    119KB

  • MD5

    47436ad8508cbdbede6535db163766bc

  • SHA1

    c6c6f8eb7dac9f294da1547e30c320a7d316bf52

  • SHA256

    43eca90ecc5958fd358a9240f31b1811ad2d01c6db10397cfd88e445ff8be5e0

  • SHA512

    255a5618cf57a4930e08e02628bef7533289e2968fcf0d1db617447f7c04245978fc9d83c29247ffd9478a5428a3491a28458bcb2eb05efb0a4566ad43bf5a9c

  • SSDEEP

    3072:gAWfRzlXCwwFwOwWAmm+G/bxqH8QW8zCrAZu/tM1:gAD1SWHe/bg/p

Score
10/10
gurcutoxiceyediscoveryratstealertrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/sendMessage?chat_id=8130842755

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/sendMessage?chat_id=8130842755

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdate

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=1

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=2

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022218

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022219

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022220

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022221

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022222

https://api.telegram.org/bot7919388970:AAGC7fUBzVyMANzjN6bhRPjR0LNTw4C5Zlo/getUpdates?offset=99022223

Signatures

  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Toxiceye family
    toxiceye
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3724
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7530.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7530.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 4916"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3340
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:2752
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:4932
        • C:\Users\ToxicEye\rat.exe
          "rat.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1992
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1196
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c <command>
            4⤵
              PID:3216
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:752
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1016
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1240
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -Embedding
        1⤵
          PID:656
        • C:\Windows\system32\mmc.exe
          "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
          1⤵
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1976

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
          Filesize

          64KB

          MD5

          d2fb266b97caff2086bf0fa74eddb6b2

          SHA1

          2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

          SHA256

          b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

          SHA512

          c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

          Download Submit

        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
          Filesize

          4B

          MD5

          f49655f856acb8884cc0ace29216f511

          SHA1

          cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

          SHA256

          7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

          SHA512

          599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

          Download Submit

        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
          Filesize

          944B

          MD5

          6bd369f7c74a28194c991ed1404da30f

          SHA1

          0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

          SHA256

          878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

          SHA512

          8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp7530.tmp.bat
          Filesize

          188B

          MD5

          c9d5ded47f272ed3df68d06bfeee80d2

          SHA1

          5acc249da38cf4ade871eebdb92d8681f69a2851

          SHA256

          4c75684cfc4fcb0cfe1621153196dabe8793cb5f014667ae98787282c7e19e22

          SHA512

          eb1e9f6e4ff4643bc1c9c95fb63c5d5760606fd36ba117364ad60d8087cc7cbd3bab50f722dbd014a6000c0c11784af90ec0d1c04b587ba097144b84616a7095

          Download Submit

        • C:\Users\ToxicEye\rat.exe
          Filesize

          119KB

          MD5

          47436ad8508cbdbede6535db163766bc

          SHA1

          c6c6f8eb7dac9f294da1547e30c320a7d316bf52

          SHA256

          43eca90ecc5958fd358a9240f31b1811ad2d01c6db10397cfd88e445ff8be5e0

          SHA512

          255a5618cf57a4930e08e02628bef7533289e2968fcf0d1db617447f7c04245978fc9d83c29247ffd9478a5428a3491a28458bcb2eb05efb0a4566ad43bf5a9c

          Download Submit

        • memory/752-7-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/752-14-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/752-8-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/752-9-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/752-20-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/752-19-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/752-18-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/752-17-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/752-16-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/752-15-0x00000263F9690000-0x00000263F9691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-23-0x0000016415EE0000-0x0000016415EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-30-0x0000016415EE0000-0x0000016415EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-21-0x0000016415EE0000-0x0000016415EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-28-0x0000016415EE0000-0x0000016415EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-29-0x0000016415EE0000-0x0000016415EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-22-0x0000016415EE0000-0x0000016415EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-31-0x0000016415EE0000-0x0000016415EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-33-0x0000016415EE0000-0x0000016415EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1016-32-0x0000016415EE0000-0x0000016415EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1992-53-0x0000022D2A410000-0x0000022D2A4BA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1992-54-0x0000022D2A540000-0x0000022D2A5B6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4916-1-0x0000019B93FB0000-0x0000019B93FD4000-memory.dmp

          Filesize

          144KB

          Download

        • memory/4916-2-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4916-5-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4916-0-0x00007FFC07BE3000-0x00007FFC07BE5000-memory.dmp

          Filesize

          8KB

          Download