General

  • Target

    TelegramRAT.exe

  • Size

    146KB

  • Sample

    250327-zrqe9sxzat

  • MD5

    b60ce934787eabc61c505105aa60e329

  • SHA1

    6e0644631cfcd82f54bffb670af9d372663464a5

  • SHA256

    de026d75eadca1410b2da8bf0ee7f54c6ce4083d843f9493551bfbea2ec8526f

  • SHA512

    9b5e7f76840402b55b8e78fe3de7298cb388450746259a39022a222055806265b3816f6ed4f57b2d56380bb0eb3f17964c659b923589fb6c6573e3e859093ed1

  • SSDEEP

    3072:N0Sv+x28V+cr6Ca5MXtzlfFD1ekW83fbZLQrQWXPCrAZuGF:N0C+xrvd1rW8vbFq

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot8131231612:AAHcaiAd3V1PfAUCNncfQGVu8o9wYaBwJNw/sendMessage?chat_id=8029727797

Targets

    • Target

      TelegramRAT.exe

    • Size

      146KB

    • MD5

      b60ce934787eabc61c505105aa60e329

    • SHA1

      6e0644631cfcd82f54bffb670af9d372663464a5

    • SHA256

      de026d75eadca1410b2da8bf0ee7f54c6ce4083d843f9493551bfbea2ec8526f

    • SHA512

      9b5e7f76840402b55b8e78fe3de7298cb388450746259a39022a222055806265b3816f6ed4f57b2d56380bb0eb3f17964c659b923589fb6c6573e3e859093ed1

    • SSDEEP

      3072:N0Sv+x28V+cr6Ca5MXtzlfFD1ekW83fbZLQrQWXPCrAZuGF:N0C+xrvd1rW8vbFq

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • ToxicEye

      ToxicEye is a trojan written in C#.

    • Toxiceye family

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks