Overview

overview

10

Static

static

10

TelegramRAT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TelegramRAT.exe

  • Size

    111KB

  • MD5

    48956d16278bdeb1f20efa2100a48f77

  • SHA1

    24d9416bf14e6a0d8a9b4970e427adf2bfc8198f

  • SHA256

    214cd570dd081fdde7641308a69ec11f27359e77251e6f21560065336c5b1760

  • SHA512

    0f809d1b3d0495d7247dc150f51a4633652f1aa942983796b0ba785216e334089c1af03e82e16267dad9052ccb576b09dfdd63dee01d834385819f3e7ffcdc88

  • SSDEEP

    3072:Fb5EHVelXr0ZxjQbxqHUVQWJzCrAZuhNdfm9jAbh0:PEHVelbAUbU0D

Score
10/10
toxiceyediscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7803199494:AAF60TOiu94ys8A9DeptAR86ERQjmvZMxEo/sendMessage?chat_id=1687153050

Signatures

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Toxiceye family
    toxiceye
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\TelegramRAT.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:956
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp98E4.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp98E4.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\system32\tasklist.exe
        Tasklist /fi "PID eq 3724"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3744
      • C:\Windows\system32\find.exe
        find ":"
        3⤵
          PID:4016
        • C:\Windows\system32\timeout.exe
          Timeout /T 1 /Nobreak
          3⤵
          • Delays execution with timeout.exe
          PID:5112
        • C:\Users\ToxicEye\rat.exe
          "rat.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3504
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4700
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x500 0x504
      1⤵
        PID:1228
      • C:\Windows\system32\notepad.exe
        "C:\Windows\system32\notepad.exe"
        1⤵
          PID:4464

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp98E4.tmp.bat
          Filesize

          188B

          MD5

          5d7ecb44ae319b6ecf6b296e7bb9a4eb

          SHA1

          6daa79eadab388d35f483eee12542fb5a7e78b87

          SHA256

          7daa75a939ae3147bd0fedce39508b97675dc4afecb6fc550ba2abe47d8f35f1

          SHA512

          d81d3a6ae83d2c367e9a20759624f9ef2e3fa60f5ba610d7e8d90502d2cf8c32b41525672507c743fa112ca042e43c729ac6a29e8d22def23669e5014fc42c5a

          Download Submit

        • C:\Users\ToxicEye\keylogs
          Filesize

          156B

          MD5

          892fbb7b8192dbf76420aed2b19f673e

          SHA1

          b6f9c7f035f48030ad945489f9e8f3f71e85eaa5

          SHA256

          9f4bbfbee319142e9119039517befa4e427c9f6debf030804c2c5112e4469065

          SHA512

          78e920b2b447782b02a7f0f01997001878339f1792d2eb39ea28f27c489740269c856138f72b6ec89f4a8598160617f0805bc218d67531e065e6594bfa52354f

          Download Submit

        • C:\Users\ToxicEye\rat.exe
          Filesize

          111KB

          MD5

          48956d16278bdeb1f20efa2100a48f77

          SHA1

          24d9416bf14e6a0d8a9b4970e427adf2bfc8198f

          SHA256

          214cd570dd081fdde7641308a69ec11f27359e77251e6f21560065336c5b1760

          SHA512

          0f809d1b3d0495d7247dc150f51a4633652f1aa942983796b0ba785216e334089c1af03e82e16267dad9052ccb576b09dfdd63dee01d834385819f3e7ffcdc88

          Download Submit

        • memory/3504-18-0x00000215E9CC0000-0x00000215E9CD0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3504-11-0x00000215EA220000-0x00000215EA2CA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3504-12-0x00000215EA350000-0x00000215EA3C6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3504-16-0x00000215E9F80000-0x00000215E9F9A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3504-19-0x00000215EA120000-0x00000215EA132000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3504-20-0x00000215E9FA0000-0x00000215E9FAA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3724-6-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3724-2-0x00007FFCFD080000-0x00007FFCFDB41000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3724-0-0x00007FFCFD083000-0x00007FFCFD085000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3724-1-0x000001C797570000-0x000001C797592000-memory.dmp

          Filesize

          136KB

          Download