www.uptycs.com
Open in
urlscan Pro
2606:2c40::c73c:67e2
Public Scan
URL:
https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram
Submission: On August 24 via api from TR — Scanned from DE
Submission: On August 24 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2617658/0492e7b1-c029-4110-8042-598f482d9802
<form id="hsForm_0492e7b1-c029-4110-8042-598f482d9802_5068" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2617658/0492e7b1-c029-4110-8042-598f482d9802"
class="hs-form-private hsForm_0492e7b1-c029-4110-8042-598f482d9802 hs-form-0492e7b1-c029-4110-8042-598f482d9802 hs-form-0492e7b1-c029-4110-8042-598f482d9802_64f19ce6-1bb3-4e72-ba8d-e9b578ae9c3a hs-form stacked hs-custom-form"
target="target_iframe_0492e7b1-c029-4110-8042-598f482d9802_5068" data-instance-id="64f19ce6-1bb3-4e72-ba8d-e9b578ae9c3a" data-form-id="0492e7b1-c029-4110-8042-598f482d9802" data-portal-id="2617658" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-0492e7b1-c029-4110-8042-598f482d9802_5068" class="" placeholder="Enter your Work Email" for="email-0492e7b1-c029-4110-8042-598f482d9802_5068"><span>Work
Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-0492e7b1-c029-4110-8042-598f482d9802_5068" name="email" required="" placeholder="email@work.com" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs-dependent-field">
<div class="hs_honeypot_queue hs-honeypot_queue hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-honeypot_queue-0492e7b1-c029-4110-8042-598f482d9802_5068" class="" placeholder="Enter your What color is the sky?"
for="honeypot_queue-0492e7b1-c029-4110-8042-598f482d9802_5068"><span>What color is the sky?</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="honeypot_queue" class="hs-input" type="hidden" value=""></div>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1692871907257","formDefinitionUpdatedAt":"1689357225520","lang":"en","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.110 Safari/537.36","pageTitle":"Mitigating Remote Access Trojan Infection Risk: Telegram/Qwixx RAT","pageUrl":"https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram","pageId":"129626920068","isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram","contentType":"blog-post","hutk":"0daa892229519320f35249672ebae2ce","__hsfp":4036121453,"__hssc":"26386402.1.1692871908030","__hstc":"26386402.0daa892229519320f35249672ebae2ce.1692871908030.1692871908030.1692871908030.1","formTarget":"#hs_form_target_form_170006308","formInstanceId":"5068","rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"4aab6dd1bbbce0c69e4500712a949fec","pageName":"Mitigating Remote Access Trojan Infection Risk: Telegram/Qwixx RAT","locale":"en","timestamp":1692871908043,"originalEmbedContext":{"portalId":"2617658","formId":"0492e7b1-c029-4110-8042-598f482d9802","region":"na1","target":"#hs_form_target_form_170006308","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"5068","formsBaseUrl":"/_hcms/forms","css":"","inlineMessage":"Thanks for submitting the form.","isMobileResponsive":true,"rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"4aab6dd1bbbce0c69e4500712a949fec","pageName":"Mitigating Remote Access Trojan Infection Risk: Telegram/Qwixx RAT","pageId":"129626920068","contentType":"blog-post","formData":{"cssClass":"hs-form stacked hs-custom-form"},"isCMSModuleEmbed":true},"correlationId":"64f19ce6-1bb3-4e72-ba8d-e9b578ae9c3a","renderedFieldsIds":["email","honeypot_queue"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3611","sourceName":"forms-embed","sourceVersion":"1.3611","sourceVersionMajor":"1","sourceVersionMinor":"3611","_debug_allPageIds":{"embedContextPageId":"129626920068","analyticsPageId":"129626920068","pageContextPageId":"129626920068"},"_debug_embedLogLines":[{"clientTimestamp":1692871907352,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1692871907352,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Mitigating Remote Access Trojan Infection Risk: Telegram/Qwixx RAT\",\"pageUrl\":\"https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.110 Safari/537.36\",\"pageId\":\"129626920068\",\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1692871907354,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1692871908039,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"0daa892229519320f35249672ebae2ce\",\"canonicalUrl\":\"https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram\",\"contentType\":\"blog-post\",\"pageId\":\"129626920068\"}"}]}"><iframe
name="target_iframe_0492e7b1-c029-4110-8042-598f482d9802_5068" style="display: none;"></iframe>
</form>Text Content
×
This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy
If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.
Accept Decline
Want to defend your cloud and connected assets from threat actors?
Learn how to think like one →
* Why Uptycs?
* Products
UNIFIED CNAPP AND XDR PLATFORM
Reduce risk and prioritize responses to threats, vulnerabilities, and
misconfigurations—all from a single UI and data model.
CNAPP
* Overview
* CWPP
* CSPM
* CIEM
* CDR
XDR
* Overview
SOLUTIONS
By Attack Surface
* AWS
* Azure
* Google Cloud
* Containers and Kubernetes
* Endpoints
By Use Case
* Detection and Response
* Threat Hunting
* CSIRT
* Vulnerability Scanning
* Compliance
* Services
SERVICES
Discover how to empower your team with professional services, expert support,
security education, and managed services for a robust security experience.
MANAGED SERVICES (MDR)
* Overview
TRAINING AND SUPPORT
* Support and Professional Services
* Training and Education
* Partners
PARTNERS
Learn about partnering with Uptycs: Elevate your business by uniting CNAPP +
XDR, and become a trusted reseller, MSSP, or systems integrator.
CLOUD SERVICE PROVIDERS
* AWS
* Azure
* Google Cloud
Overview
* Resources
RESOURCES
Everything you need to know about Uptycs. From product information to how
Uptycs is helping meet our customers needs.
RESOURCES
* All Customer Stories
* All Blogs
* All Events
CUSTOMER STORIES
See how Uptycs helps Lookout pinpoint specific alerts, reduces time to
respond to incidents, and empowers ...
All Customer Stories
BLOGS
What are the benefits of a Unified CNAPP and XDR Platform?
All Blogs
EVENTS
InfoSec World 2023
September 26-28
All Events
* Company
UPTYCS
Discover Uptycs' groundbreaking approach to tackling modern security
challenges, uniting teams, and connecting insights across your attack surface
for unparalleled protection.
ABOUT US
* Overview
* Careers
* Security Practices
IN THE NEWS
Uptycs Appoints Kevin Paige as Chief Information Security Officer and VP of
Product Strategy
Contact Us
All Press and News
Request a demo
UNWANTED GUESTS: MITIGATING REMOTE ACCESS TROJAN INFECTION RISK
Tags: Malware, TelegramRAT, QwixxRAT, Data Extraction, New Malware
UPTYCS THREAT RESEARCH
August 14, 2023
Share:
*
*
*
*
A new threat has emerged in the realm of cybersecurity, referred to as
QwixxRAT. Both businesses and individual users are at risk, as this Trojan
silently infiltrates devices, casting a wide net of data extraction.
Ever vigilant for threats like the Remote Access Trojan (RAT), the Uptycs Threat
Research team discovered QwixxRAT (aka Telegram RAT) in early August 2023. The
threat actor is widely distributing this malicious tool through Telegram and
Discord platforms.
Once installed on the victim’s Windows platform machines, the RAT stealthily
collects sensitive data, which is then sent to the attacker's Telegram bot,
providing them with unauthorized access to the victim's sensitive information.
To avoid detection by antivirus software, the RAT employs command and control
functionality through a Telegram bot. This allows the attacker to remotely
control the RAT and manage its operations.
A FAR-REACHING RAT
QwixxRAT is meticulously designed to harvest an expansive range of information
from browser histories and credit card details to keylogging insights.
Its presence became notably alarming in recent evaluations of compromised
systems, hinting at its potential rise. While its origin and primary target
zones remain under investigation, the Trojan's reach seems global, leaving no
user truly safe.
Beyond mere data theft, QwixxRAT wields formidable remote administrative tools,
enabling attackers to control victim devices, launch commands, and even
destabilize systems. In this blog, we aim to comprehensively explore its
features, workings, and the preventative steps that can be taken against it.
MARKETING AND DISTRIBUTION TACTICS OF QWIXXRAT
The scheme is orchestrated via a threat actor utilizing both Telegram and
Discord platforms to market the RAT tool. They offer the tool for sale,
specifying its cost, and additionally provide a limited free version.
Price list (Russian currency):
Permanent access - 500 rubles
Access for a week - 150 rubles
Upon any threat actor's purchase of the RAT, the team establishes a separate
channel dedicated to accessing the acquired data.
Figure 1 – QwixxRAT Telegram channel
QWIXXRAT WORKFLOW
Figure 2 depicts the QwixxRAT workflow.
Figure 2 – Workflow of QwixxRAT
TECHNICAL ANALYSIS
The RAT file is a C# compiled binary, functioning as a 32-bit executable file
designed for CPU operations. The figure shows that the threat actor employed two
distinct names for the same Remote Access Trojan (RAT). One alias used was
"Qwixx Rat," while the other was identified as "TelegramRAT."
Figure 3 – QwixxRAT code
The main function consists of a total of 19 individual functions, each serving a
unique purpose. We will now examine them one by one.
The RAT is equipped with a configuration function that determines its behavior
on the target machine. This configuration function contains various values,
which can be in the form of booleans, file extensions, or other types of data.
Based on these values, the RAT adapts its actions accordingly.
FUNCTION 1: HIDECONSOLEWINDOW
As this is a CPU program, the threat actor conceals the console to remain
covert.
FUNCTION 2: CHECKMUTEX
The threat actor employs a mutex value check to prevent duplicate execution.
They generate an MD5 value for the string "995716229" and additionally verify if
the current login user has administrative privileges. If the user is an admin,
the threat actor creates a new mutex using the string
"ADMIN:21de6ebf2e182b19a589c154562979b4." By doing so, the actor ensures that
only one instance of the program runs on the target machine.
Figure 4 – Mutex check
FUNCTION 3: SECURITYPROTOCOL
This code snippet sets the “ServicePointManager.SecurityProtocol” property to
enable support for multiple secure network protocols. The application ensures
backward compatibility and broader compatibility with various servers and
clients by including SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. This configuration
allows the application to securely communicate with servers requiring different
SSL/TLS versions to establish secure connections.
FUNCTION 4: ELEVATE PRIVILEGES
The code attempts to elevate the current application's privileges to run with
administrative rights by relaunching itself(Hidden Attribute) with the "runas"
verb. If the user denies the elevation or if the configure AdminRightsRequired
setting prevents it, the while loop will continue, allowing for further attempts
to elevate privileges.
FUNCTION 5: SLEEP
To evade AV/EDR/Sandbox detection, the threat actor incorporates the sleep
function to introduce a delay in the execution process.
FUNCTION 6: RUNANTIANALYSIS
The threat actor employed three methods for anti-analysis purposes: Sandboxie,
VirtualBox, and Debugger.
Figure 5 – Anti analysis check
* Sandbox check:
The code includes a check to determine whether the current application is
operating within a sandbox environment. This check involves looking for specific
DLLs, namely SbieDll.dll, SxIn.dll, Sf2.dll, snxhk.dll, and cmdvrt32.dll, which
are commonly associated with sandboxing software. If any of these DLLs are
detected as loaded within the current process by GetModuleHandle API, the
attacker instantly terminates the code execution, understanding that it is
running in a sandbox environment.
* VirtualBox
To identify if the file is running within a virtual environment, the threat
actor utilized two WMI queries. Firstly, they employed the query "Select * from
Win32_ComputerSystem" to inspect the "Manufacturer" and "Model" fields. If any
of the strings match the keyword "virtual" or "vmware" or "VirtualBox" the
process is promptly terminated.
Secondly, the actor employed the query "SELECT * FROM Win32_VideoController" to
check the "Name" property using GetPropertyValue.If any of the strings match the
keyword "VMware " or "VBox ", the process is terminated as well.
* Debugger
The code implements a method to identify if the current application is being run
under a debugger. It does this by introducing a brief delay and subsequently
checking if the elapsed time during this delay is less than 10 ticks, equivalent
to 1 microsecond. The underlying assumption is that the presence of a debugger
might induce additional delays, resulting in a smaller time difference. The
process is terminated as a security measure if such a scenario is detected.
FUNCTION 7: INSTALLSELF
The threat actor attempts to locate the file at "C:\Users\Chrome\rat.exe". If
the file is not found in the specified path, the code retrieves the executable
path and copies itself to "C:\Users\Chrome\rat.exe". Subsequently, the actor
modifies the file attributes to make it hidden in the system.
FUNCTION 8: SETAUTORUN
A scheduled task is created for the hidden file located at
"C:\Users\Chrome\rat.exe".
Figure 6 – Persistence of RAT
FUNCTION 9: MELTFILE
The code contains a self-destruction mechanism designed for a C# program. Under
specific conditions, it generates a temporary batch script that patiently waits
for the current process to terminate. Once the process stops, the executable
file is deleted, and the program is relaunched from the designated InstallPath
("C:\Users\Chrome\rat.exe"). This self-destructive behavior is commonly observed
in malware to conceal its existence or in security-related applications to
remove sensitive components after use.
Figure 7 – Bat file creation
The batch script checks for the existence of a parent process with a specific
PID (1207) and waits until it is available. Once the parent process is found, it
proceeds to delete the "stealer.exe" file (which is the parent), changes the
current directory to "C:\Users\Chrome," and then runs the "rat.exe" program
(which is a copy of the parent).
The following snapshot represents a batch file.
Figure 8 – The bat file
FUNCTION 10: ISCONNECTEDTOINTERNET
The code is a simple way to check for an active internet connection by trying to
ping "google.com" and "api.telegram.org". The method keeps retrying the pings
until both hosts are reachable, and it prints status messages to the console
during the process.
FUNCTION 11: PROCESSCHECKERTHREAD
The code serves as a process monitoring mechanism, actively scanning the
system's running process list for specific processes such as "taskmgr,"
"processhacker," "netstat," "netmon," "tcpview," "wireshark," "filemon,"
"regmon," and "cain."
Upon detecting any of these specified processes, it takes action by blocking the
network activity thread, as managed by the variable
"telegram.waitThreadIsBlocked." It remains in this state until the detected
process is no longer active. Once the process is terminated, the network
activity resumes, and the code sends a notification message to a Telegram bot,
alerting it about the detected blocked process.
FUNCTION 12: KEYLOGGERTHREAD
The code implements a keyboard hook callback function responsible for capturing
keyboard events and logging them into a file. As the function captures the keys
pressed, it converts special keys into more understandable representations and
categorizes the keystrokes based on the active window title.
Keyboard hooks find utility in various applications, including keylogging, input
monitoring, and hotkey handling. It is essential to recognize that while
keyboard hooks can serve legitimate purposes like enabling accessibility
features, they can also be misused for malicious activities, such as
unauthorized keylogging, without the user's consent.
FUNCTION 13: AUTOSTEALERTHREAD
The code is designed to illicitly gather confidential information from a
targeted computer. This includes capturing screenshots of the desktop,
extracting login credentials, credit card details, browsing history, bookmarks,
FTP credentials, messenger data, and data from the Steam platform. Subsequently,
the collected data is surreptitiously shared with the attacker via a Telegram
channel.
Figure 9 – Qwixx stealer code
* desktopScreenshot
The code captures a screenshot of the desktop, saves it as a PNG
image(screenshot.png), sends it to a Telegram bot, and then cleans up by
deleting the temporary file. It can be used as part of a program or application
that periodically takes desktop screenshots and sends them to a Telegram bot for
monitoring, logging, or other purposes.
The code is designed to specifically target certain web browsers and collect
sensitive data, such as login details, browsing history, cookies, credit card
information, and bookmarks. It achieves this objective by utilizing an existing
GitHub project.
Targeted Browser List Google\Chrome
Google(x86)\Chrome
Chromium
Opera Software\Opera Stable\
BraveSoftware\Brave-Browser
Epic Privacy Browser
Amigo
Vivaldi
Orbitum
Mail.Ru\Atom
Kometa
Comodo\Dragon Torch
Comodo
Slimjet
360Browser\Browser
Maxthon3
K-Melon
Sputnik\Sputnik
Nichrome
CocCoc\Browser
uCozMedia\Uran
Chromodo
* Passwords
The password-stealing code is designed to extract saved login credentials
(including the host name, user name, and password) from specific web browser
locations such as \User Data\Default\Login Data on the user's system. It then
stores the collected data in a text file named "passwords.txt." Finally, the
code uploads the generated file to a Telegram bot.
* CreditCards
The credit card-stealing code is designed to retrieve stored credit card
information, including the card number, cardholder name, expiration year, and
expiration month, from specific web browser locations like "\User
Data\Default\Web data" on the victim's system. Subsequently, it stores this data
in a text file named "credit_cards.txt". Finally, the code uploads the generated
file to a Telegram bot.
* History
The browsing history-stealing code is designed to gather information related to
visited URLs, page titles, visit counts, and timestamps from specific web
browser locations such as "\User Data\Default\History" on the user's system. It
then saves this data in a text file named "history.txt". Finally, the code
uploads the created file to a Telegram bot.
* Bookmarks
The bookmark-stealing code is designed to extract bookmark information,
including the URL, name, and date, from specific web browser locations like
"\User Data\Default\Bookmarks" on the user's system. It then stores this
information in a text file named "bookmarks.txt". Finally, the code uploads the
generated file to a Telegram bot.
* Cookies
The cookie-stealing code is designed to gather cookie information, including the
value, host, name, path, expiration, and secure attributes, from different web
browser locations like "\User Data\Default\Cookies" on the user's system. It
then saves this data in a text file named "cookies.txt." Finally, the code
uploads the created file to a Telegram bot.
* FileZilla
The code is designed to retrieve FTP server information, including the URL,
username, and password, from FileZilla's configuration files. It proceeds to
store this extracted data in a text file named "filezilla.txt" and subsequently
uploads the file to a Telegram bot.
* Telegram
The code is specifically created to pilfer Telegram data located in the "\tdata"
directory. It compresses the data into a .ZIP file and then dispatches this file
to a Telegram bot.
* Discord
The code is purposely crafted to illicitly obtain Discord data found in the
"\discord\Local Storage\leveldb" directory. It then sends this data to a
Telegram bot.
* SteamGrabber
The code responsible for searching the user's Steam installation directory. It
specifically targets Steam-related files, such as those starting with "ssfn,"
files in the "config" subdirectory with names beginning with "loginusers.", and
files in the "config" subdirectory with names starting with "conFigure." Once
the Steam process is detected as running, it gathers these identified files and
creates a zip archive named "steam.zip." Subsequently, the code sends this
archive to a specified Telegram bot without obtaining the user's consent.
* GrabDesktop
The code gathers files with specific extensions (.kdbx, .png, .jpg, .bmp, .pdf,
.txt, .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .sql, .php, .py, .html,
.xml, .json, .csv) from the desktop location. After collecting these files, it
creates a zip archive named "desktop.zip" and then transmits this archive to a
Telegram bot.
FUNCTION 14: CLIPPER
The threat actor may exploit clipboard manager APIs to illicitly access
sensitive information copied to the device's clipboard. The code aims to extract
cryptocurrency wallet information from the following organizations: Monero,
Ethereum, and Bitcoin.
FUNCTION 15: PROTECTPROCESS
To set the "SeDebugPrivilege" to a level of 2, it will grant your program a
special privilege called "Debug Privilege." This is usually only required for
specific debugging or system administration tasks.
Figure 10 – Protect process
FUNCTION 16: PREVENTSLEEP
It's worth mentioning that the value 2147483651U used in this context represents
a combination of flags (ES_CONTINUOUS, ES_SYSTEM_REQUIRED, and
ES_AWAYMODE_REQUIRED) to set the system's execution state. These flags ensure
that the system remains continuously active, preventing sleep or idle mode, even
if the user is away, such as during presentations or video playback.
Figure 11 – Prevent sleep
FUNCTION 17: SENDCONNECTION
The purpose of this code is to send a text message to a specific chat on
Telegram using a Telegram bot.
Figure 12 – Communication request
FUNCTION 18: WAITCOMMANDSTHREAD
The code implements a loop to constantly monitor incoming messages and commands
for the Telegram bot. It promptly takes appropriate actions based on the content
of these messages, which may involve downloading files, executing commands, or
notifying the bot owner of unknown message types. By doing so, the code ensures
that the bot remains responsive and handles new updates in a timely manner.
Grabbed Data Category
Command
Description
INFORMATION
Computerinfo
The "Computerinfo" command retrieved the following
details from the victim's machine.
* GetSystemVersion
* MachineName
* UserName
* Current date and time
* Antivirus check (Select * from AntivirusProduct)
* Admin login check
* Process protected,
* Debugger check
* Program List
* CUPname
* GPU name
* RAM amount(Select * From Win32_ComputerSystem)
* HWID (SELECT ProcessorId FROM Win32_Processor)
BatteryInfo
Get Battery percentage status
Location
The command extracted the Latitude, Longitude, Range,
BSSID, and Router details from the URL
https://api[.]mylnikov[.]org/geolocation/wifi?bssid=.
Whois
Get public ip via http://ip-api.com/json/
GetActiveWindowTitle
Obtain the title of the presently active window on the
computer's desktop.
SPY
Webcam
Get CommandCam tool from
https[:]//raw.githubusercontent.com/tedburke/
CommandCam/master/CommandCam[.]exe.
This user-friendly command-line tool for Windows
acts as a webcam image grabber, allowing the
capture of a single image and saving it as a png file.
It serves as a convenient solution for automating
image capture in batch files and other scenarios
where simplicity and efficiency are essential.
Microphone
Download the audio recording file from
https://raw.githubusercontent[.]com/LimerBoy/hackpy/
master/modules/audio[.]zip.
Extract the zip file to obtain the executable (exe) file.
Proceed to modify the attributes of the executable to be
hidden. Afterward, execute the modified file with specific
arguments and save the resulting audio in .wav format.
Desktop
Refer: Function 12: AutoStealerThread
Keylogger
Refer: Function 11: keyloggerThread
CLIPBOARD
ClipboardSet
This method is used to set the text (string) content on the
clipboard. It allows you to place a specific text into the
clipboard so that it can be pasted into other applications
using the standard paste command
ClipboardGet
This method is used to retrieve the text (string) content
from the clipboard.
TASK MANAGER
ProcessList
Get process details
ProcessKill
Kill the running process
ProcessStart
Start new process
TaskManagerDisable
The task manager feature is disabled by making
modifications to the registry settings.
Software\\Microsoft\\Windows\\CurrentVersion\\
Policies\\System
TaskManagerEnable
The task manager feature is enabled by making
modifications to the registry settings.Software\\
Microsoft\\Windows\\CurrentVersion\\Policies\\System
MinimizeAllWindows
Minimize windows of target machine
MaximizeAllWindows
Maximize Windows of target machine
STILLER
GetPasswords
Refer: Function 12: AutoStealerThread
GetCreditCards
Refer: Function 12: AutoStealerThread
GetHistory
Refer: Function 12: AutoStealerThread
GetBookmarks
Refer: Function 12: AutoStealerThread
GetCookies
Refer: Function 12: AutoStealerThread
GetDesktop
Refer: Function 12: AutoStealerThread
GetFileZilla
Refer: Function 12: AutoStealerThread
GetDiscord
Refer: Function 12: AutoStealerThread
GetTelegram
Refer: Function 12: AutoStealerThread
GetSteam
Refer: Function 12: AutoStealerThread
CD
OpenCD
Open CD disk
CloseCD
Close CD disk
FILES
DownloadFile
Download file from server
UploadFile
Upload file to attacker
RunFile
Start the file
RunFileAdmin
start the file with admin privileges
ListFiles
Get list of files from directory
RemoveFile
Remove File from disk
RemoveDir
Remove Dir from Disk
MoveFile
Transfer the file from one location to another
CopyFile
Copy the file from one location to another
MoveDir
Transfer the Directory from one location to another
CopyDir
Copy the Directory from one location to another
COMMUNICATION
Speak
The "textToSpeak" command.
Shell
Command for shell execution.
MessageBox
Display a message using MessageBox.
OpenURL
Launch new URL
SetWallpaper
Change wallpaper
SendKeyPress
Sends one or more key press combinations to the system
NetDiscover
Get Host,IP,MAC details
Uninstall
The parent file is removed, and execution commences
from the copied file "rat.exe."
AUDIO
PlayMusic
Play mp3 file via mciSendString API
AudioVolumeSet
Downloaded file and control volume
https://raw.githubusercontent[.]com/LimerBoy/ToxicEye
/master/TelegramRAT/TelegramRAT/core/libs/
AudioSwitcher.AudioApi[].dll
https://raw.githubusercontent[.]com/LimerBoy/ToxicEye/
master/TelegramRAT/TelegramRAT/core/libs/
AudioSwitcher.AudioApi.CoreAudio[.]dll
AudioVolumeGet
Used same Dll file (AudioVolumeSet) get default value
information
PC
BlockInput
Control Keyboard and Mouse
Monitor
Control monitor - off,standby
DisplayRotate
Rotate display
EncryptFileSystem
Encrypted userprofile folder with targeting files .lnk, .png,
.jpg, .bmp, .psd, .pdf, .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx,
.odt, .csv, .sql, .mdb, .sln, .php ,py, .asp, .aspx, .html, .xml
DecryptFileSystem
Decrypted userprofile folder with targeting files .lnk, .png,
.jpg, .bmp, .psd, .pdf, .txt, .doc, .docx, .xls, .xlsx, .ppt,
.pptx, .odt, .csv, .sql, .mdb, .sln, .php, .py, .asp, .aspx, .html,
.xml
ForkBomb
It is a "harmful" program that rapidly creates an "endless
loop" of new processes, "overloading" the computer and
causing it to "crash" or become unresponsive.
Attacker targets below program notepad, explorer,
mspaint, calc, cmd
BSoD
Check Blue Screen of Death
OverwriteBootSector
Change Boot file it maybe lead to destroy machine
TRUST
Shutdown
Power off the victim machine.
Reboot
Restart the machine
Hibernate
move to Hibernate mode
Logoff
Initiate a logoff on the victim machine.
OTHER
Help
Shows Commands details
About
Show telegram id for threat actor
FUNCTION 19: MAINFORM
This code sets up the main form of the application to be borderless and not
appear in the taskbar. Additionally, the application is granted high priority
during system shutdown, allowing it to complete critical or background tasks
before the system shuts down.
UPTYCS XDR COVERAGE
In addition to having YARA built in and being armed with other advanced
detection capabilities, Uptycs XDR users can easily scan for QwixxRAT. XDR
contextual detection provides important details about identified malware. Users
can navigate to the toolkit data section in the detection screen, then click a
detected item to reveal its profile (Fig. 13).
QWIXXRAT YARA DETECTION RULE
Uptycs XDR scans the memory of newly launched processes and detects any presence
of suspicious strings by utilizing YARA rules. The YARA rule for detecting this
malware has already been made available to our customers.
If you are not an Uptycs XDR customer, you can use either the YARA tool or a
third-party tool to scan suspicious processes. We have shared the rule below for
your convenience.
rule Uptycs_QwixxRAT
{
meta:
malware_name = "QwixxRAT"
description = "QwixxRAT is a trojan designed to extract browser cookies,
histories, credit card information and capture keylogger activities from
targeted devices"
author = "Uptycs Inc"
version = "1"
strings:
$string_0 = "[CAPSLOCK: ON]" ascii wide
$string_1 = "[ESC]" ascii wide
$string_2 = "webcam.png" ascii wide
$string_3 = "SELECT * FROM win32_operatingsystem" ascii wide
$string_4 = "\\User Data\\Default\\Login Data" ascii wide
$string_5 = "recentservers.xml" ascii wide
$string_6 = "credit_cards.txt" ascii wide
$string_7 = "Tasklist /fi" ascii wide
$string_8 = "Select * from AntivirusProduct" ascii wide
$string_9 = "\\keylogs.txt" ascii wide
$string_10 = "AutoStealer" ascii wide
condition:
all of them
}
PRECAUTIONS
* Immediately report any theft to appropriate authorities, such as police,
banks, or credit card companies, to counteract identity theft and monetary
fraud promptly.
* Regularly scrutinize your bank and credit card statements for anomalies.
Alert authorities about any unrecognized activity.
* Periodically renew your passwords using robust, unique combinations to reduce
the risk of data misuse or phishing attempts.
* Introduce an additional security layer against unauthorized breaches by
employing two-factor authentication (2FA) on vital accounts, including
cryptocurrency wallets.
* Ensure webcam security by covering or disconnecting it when idle.
* Be wary of dubious emails, links, or attachments. Avoid revealing personal
details or engaging with unfamiliar links.
* Stay informed about cybersecurity norms and educate those around you about
potential threats and safety practices.
IOC
File name
MD5
QwixxRAT.exe
46d6f885d323df5f00218da715239a7b
URL
https[:]//raw.githubusercontent[.]com/tedburke[.]commandCam/master[.]commandCam[.]exe
https[:]//raw.githubusercontent[.]com/LimerBoy/hackpy/master/modules/audio[.]zip
https[:]//api.telegram.org/
https[:]//raw.githubusercontent[.]com/LimerBoy/ToxicEye/master/TelegramRAT/TelegramRAT/core/libs/AudioSwitcher.AudioApi[.]dll
https[:]//raw.githubusercontent[.]com/LimerBoy/ToxicEye/master/TelegramRAT/TelegramRAT/core/libs/AudioSwitcher.AudioApi.CoreAudio].]dll
https[:]//api[.]mylnikov[.]org/geolocation/wifi?bssid=
google[.]com
STAY IN THE LOOP
Get regular updates on all things Uptycs—
from product updates to expert articles and much more
Work Email*
What color is the sky?
FOLLOW US
*
*
*
*
PRODUCTS
* Why Uptycs
* XDR
* CNAPP
* CWPP
* CSPM
* CIEM
* CDR
BY ATTACK
SURFACE:
* AWS
* Azure
* Google Cloud
* Containers and Kubernetes
* Endpoints
BY
USE CASE:
* Detection and Response
* Threat Hunting
* CSIRT
* Vulnerability Scanning
* Compliance
SERVICES
* Managed Services (MDR)
* Support and Professional Services
* Training and Education
PARTNERS
* Partner Overview
CLOUD SERVICE PROVIDERS:
* AWS
* Azure
* Google Cloud
SERVICES
* Managed Services (MDR)
* Support and Professional Services
* Training and Education
PARTNERS
* Partner Overview
CLOUD SERVICE PROVIDERS:
* AWS
* Azure
* Google Cloud
RESOURCES
* Blog
* Resource Library
* Upcoming Events
COMPANY
* About Us
* Careers
* Security Practices
* Contact Us
* Press and News
© 2023 Uptycs. All rights reserved.
* Privacy Policy
* Security Practices
* Contact Us
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1