toxiceye | TelegramRAT[.]exe | Triage

Sharing

General

Target

TelegramRAT.exe
Size

111KB
MD5

fba83f24aac967fffc57baf01c095893
SHA1

8cdab10a3facee2d4f758911c3f2e00bb91281b3
SHA256

5d8daed4827846f5c371eb9d958d4b478fa357a495a1cb68df9eecbf40142281
SHA512

22ea406650183dfdd3f27ae9f1461550c3c9de2e62507f0c1af5b783e776df40ed2e59f7d7f009dc8f23b4b1705d7f909c2681501785ef0ec14ba2aa60ca51dc
SSDEEP

1536:I+bUlO0pkM91qQIw8yr9xZxdyyKDWfybhDqI6bQWCzCrAZuqUqDQ:fbWOYkDyrrZxjQbxqHbQWCzCrAZuqBQ

Score

10^/10

toxiceye

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7709903928:AAH-JjBArW0_8_MX2hpJCxd-s2x1v94lP2Y/sendMessage?chat_id=5101964078

Signatures

Toxiceye family
toxiceye

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
TelegramRAT.exe

Files

TelegramRAT.exe
.exe windows:4 windows x86 arch:x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\kanye\AppData\Local\Temp\Rar$DRa15520.4789.rartemp\ToxicEye-master\TelegramRAT\TelegramRAT\obj\Release\TelegramRAT.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ