Analysis
-
max time kernel
8s -
max time network
21s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2025, 13:46
Behavioral task
behavioral1
Sample
0C1CU_TelegramRAT.exe
Resource
win7-20240903-en
Errors
General
-
Target
0C1CU_TelegramRAT.exe
-
Size
119KB
-
MD5
57ec698eadd8a43268b10ee599c5e2b3
-
SHA1
6bcc4f0da802feb01914faf33eb2c32aafdbf707
-
SHA256
31312ebd622e3183979c4881b32bf5a9cb33c45b9216cac1dd33af4d12da77be
-
SHA512
b19a4a45003592c9b3b4fdc1ee65461f459f8e41c759571ae0b3925be716b353620a9f1e1fe59fc49901a28aead8d5ed56bac4d5ff1fa123b29046f3a44cd8a6
-
SSDEEP
3072:+nKxltkwILOo2qmm+G/bxqHhQWqzCrAZuu7Y:Zti2xe/bge
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590
Signatures
-
Toxiceye family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 0C1CU_TelegramRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Tel.exe -
Executes dropped EXE 1 IoCs
pid Process 4576 Tel.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4180 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2464 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3500 schtasks.exe 1932 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4576 Tel.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4576 Tel.exe 4576 Tel.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3504 0C1CU_TelegramRAT.exe Token: SeDebugPrivilege 4180 tasklist.exe Token: SeDebugPrivilege 4576 Tel.exe Token: SeDebugPrivilege 4576 Tel.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4576 Tel.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3504 wrote to memory of 3500 3504 0C1CU_TelegramRAT.exe 85 PID 3504 wrote to memory of 3500 3504 0C1CU_TelegramRAT.exe 85 PID 3504 wrote to memory of 2764 3504 0C1CU_TelegramRAT.exe 87 PID 3504 wrote to memory of 2764 3504 0C1CU_TelegramRAT.exe 87 PID 2764 wrote to memory of 4180 2764 cmd.exe 89 PID 2764 wrote to memory of 4180 2764 cmd.exe 89 PID 2764 wrote to memory of 2252 2764 cmd.exe 90 PID 2764 wrote to memory of 2252 2764 cmd.exe 90 PID 2764 wrote to memory of 2464 2764 cmd.exe 91 PID 2764 wrote to memory of 2464 2764 cmd.exe 91 PID 2764 wrote to memory of 4576 2764 cmd.exe 92 PID 2764 wrote to memory of 4576 2764 cmd.exe 92 PID 4576 wrote to memory of 1932 4576 Tel.exe 94 PID 4576 wrote to memory of 1932 4576 Tel.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0C1CU_TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\0C1CU_TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Tel\Tel.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:3500
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp48F.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp48F.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3504"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:2252
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2464
-
-
C:\Users\Tel\Tel.exe"Tel.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Tel\Tel.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1932
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189B
MD575bb8647b123eb86f4f5d953e177d567
SHA13f2cd2024f978607af898c30011b1a37a48db94c
SHA256b382c398ed11991f7c0499f341f65281732d05b05145455c8d8ee8ccbcfc8e23
SHA512cb7ee8bf45ca30266d16b087845cf16d27c2c5a7d61108a4144c108738b4b4b30b6971b897d625ba4db97f779315ff4cf8fde0b85f5c3ae5382644b0d0a4b45d
-
Filesize
119KB
MD557ec698eadd8a43268b10ee599c5e2b3
SHA16bcc4f0da802feb01914faf33eb2c32aafdbf707
SHA25631312ebd622e3183979c4881b32bf5a9cb33c45b9216cac1dd33af4d12da77be
SHA512b19a4a45003592c9b3b4fdc1ee65461f459f8e41c759571ae0b3925be716b353620a9f1e1fe59fc49901a28aead8d5ed56bac4d5ff1fa123b29046f3a44cd8a6