General
-
Target
TelegramRAT.exe
-
Size
136KB
-
Sample
250330-qsz7es1rz2
-
MD5
e629176520460b7286b9b860ee751c7a
-
SHA1
74c626e83a42f010d58a8bf89116ac879ca4740a
-
SHA256
21f121c9b506a7536434ce3b0cd7afdbdf07652a57b100723c078f745b73511c
-
SHA512
ea7cd55be6e4f8bcc1018fae808226f2a0e3baf5900fea9aded04119a6408e3216a019f3e2de5f545fc3e2c1b147e38610a1c497513347c532ac69e0a49ce9cd
-
SSDEEP
3072:U3ryZPiGUK7LGC9C6WCmo0Pmc/bZnQ7QWXPCrAZugae:UjGNGqObdWK
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/sendMessage?chat_id=8029727797
Extracted
gurcu
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/sendMessage?chat_id=8029727797
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/getUpdate
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/getUpdates?offset=11435076
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/getUpdates?offset=11435077
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/getUpdates?offset=11435078
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/getUpdates?offset=11435079
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/sendPhoto?chat_id=802972779
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/sendDocument?chat_id=802972779
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/getUpdates?offset=11435080
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/getUpdates?offset=11435081
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/getUpdates?offset=11435082
https://api.telegram.org/bot8131231612:AAEUo24glVLmRCyfaK72om4sTqhFx63vCws/getUpdates?offset=11435083
Targets
-
-
Target
TelegramRAT.exe
-
Size
136KB
-
MD5
e629176520460b7286b9b860ee751c7a
-
SHA1
74c626e83a42f010d58a8bf89116ac879ca4740a
-
SHA256
21f121c9b506a7536434ce3b0cd7afdbdf07652a57b100723c078f745b73511c
-
SHA512
ea7cd55be6e4f8bcc1018fae808226f2a0e3baf5900fea9aded04119a6408e3216a019f3e2de5f545fc3e2c1b147e38610a1c497513347c532ac69e0a49ce9cd
-
SSDEEP
3072:U3ryZPiGUK7LGC9C6WCmo0Pmc/bZnQ7QWXPCrAZugae:UjGNGqObdWK
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Gurcu family
-
Toxiceye family
-
Renames multiple (276) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Enumerates processes with tasklist
-