General
-
Target
TelegramRAT.exe
-
Size
146KB
-
Sample
250327-zrqe9sxzat
-
MD5
b60ce934787eabc61c505105aa60e329
-
SHA1
6e0644631cfcd82f54bffb670af9d372663464a5
-
SHA256
de026d75eadca1410b2da8bf0ee7f54c6ce4083d843f9493551bfbea2ec8526f
-
SHA512
9b5e7f76840402b55b8e78fe3de7298cb388450746259a39022a222055806265b3816f6ed4f57b2d56380bb0eb3f17964c659b923589fb6c6573e3e859093ed1
-
SSDEEP
3072:N0Sv+x28V+cr6Ca5MXtzlfFD1ekW83fbZLQrQWXPCrAZuGF:N0C+xrvd1rW8vbFq
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot8131231612:AAHcaiAd3V1PfAUCNncfQGVu8o9wYaBwJNw/sendMessage?chat_id=8029727797
Targets
-
-
Target
TelegramRAT.exe
-
Size
146KB
-
MD5
b60ce934787eabc61c505105aa60e329
-
SHA1
6e0644631cfcd82f54bffb670af9d372663464a5
-
SHA256
de026d75eadca1410b2da8bf0ee7f54c6ce4083d843f9493551bfbea2ec8526f
-
SHA512
9b5e7f76840402b55b8e78fe3de7298cb388450746259a39022a222055806265b3816f6ed4f57b2d56380bb0eb3f17964c659b923589fb6c6573e3e859093ed1
-
SSDEEP
3072:N0Sv+x28V+cr6Ca5MXtzlfFD1ekW83fbZLQrQWXPCrAZuGF:N0C+xrvd1rW8vbFq
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Toxiceye family
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Enumerates processes with tasklist
-