Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
8s -
max time network
9s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
05/01/2025, 13:35
Errors
General
-
Target
TelegramRAT.exe
-
Size
119KB
-
MD5
6bb2ac8cb9f84678bdfba1a061d53421
-
SHA1
f5b8388a153d28b7d3434d16b07e557ca08e0132
-
SHA256
2a29eb506737661d820f87409e83732a8b4a4e66fae7af2cb9776f0c34428054
-
SHA512
2e18c23e4ba26fe318fb52187102863c5cc1e9f415a96578ea7ef68686f2061a78cd39488dbce5008c2d7e854baa8c46783388d81453b28bf65d580598e9a755
-
SSDEEP
3072:OOfRzlXCwwFwOwWAmm+G/bxqH8QWqzCrAZuuWN:Or1SWHe/bgR
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot7742822790:AAHkizf3bilCkIqp8NNVcbWObKSVKo8Xifo/sendMessage?chat_id=7053620590
Signatures
-
Toxiceye family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation rat.exe Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation TelegramRAT.exe -
Executes dropped EXE 1 IoCs
pid Process 2096 rat.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1860 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2124 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4712 schtasks.exe 1452 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2096 rat.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2096 rat.exe 2096 rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 444 TelegramRAT.exe Token: SeDebugPrivilege 1860 tasklist.exe Token: SeDebugPrivilege 2096 rat.exe Token: SeDebugPrivilege 2096 rat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2096 rat.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 444 wrote to memory of 4712 444 TelegramRAT.exe 84 PID 444 wrote to memory of 4712 444 TelegramRAT.exe 84 PID 444 wrote to memory of 2944 444 TelegramRAT.exe 86 PID 444 wrote to memory of 2944 444 TelegramRAT.exe 86 PID 2944 wrote to memory of 1860 2944 cmd.exe 88 PID 2944 wrote to memory of 1860 2944 cmd.exe 88 PID 2944 wrote to memory of 828 2944 cmd.exe 89 PID 2944 wrote to memory of 828 2944 cmd.exe 89 PID 2944 wrote to memory of 2124 2944 cmd.exe 92 PID 2944 wrote to memory of 2124 2944 cmd.exe 92 PID 2944 wrote to memory of 2096 2944 cmd.exe 93 PID 2944 wrote to memory of 2096 2944 cmd.exe 93 PID 2096 wrote to memory of 1452 2096 rat.exe 96 PID 2096 wrote to memory of 1452 2096 rat.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:4712
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9376.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9376.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 444"3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\system32\find.exefind ":"3⤵PID:828
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2124
-
-
C:\Users\ToxicEye\rat.exe"rat.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1452
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD555accf2fee0ae57bcf1deb3e2ccfe4ac
SHA16b238de539f15982d7e1c817f9631d4b2581e569
SHA256bd7d78f32818bca328162e8ff107c10ea4f92570b2a3947d972d34a63dfb2c42
SHA51200067ec78e48f9e1ef9d357c814f6e586aa1e193c7ce65aabbda4e3df6b90faf95de019c48f58712e74d3fcaf0219675d43c6cbf0977a6812d2ddfead6c9db7d
-
Filesize
119KB
MD56bb2ac8cb9f84678bdfba1a061d53421
SHA1f5b8388a153d28b7d3434d16b07e557ca08e0132
SHA2562a29eb506737661d820f87409e83732a8b4a4e66fae7af2cb9776f0c34428054
SHA5122e18c23e4ba26fe318fb52187102863c5cc1e9f415a96578ea7ef68686f2061a78cd39488dbce5008c2d7e854baa8c46783388d81453b28bf65d580598e9a755