Overview

overview

10

Static

static

10

frowning_t....3.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    39s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/03/2024, 08:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    frowning_tool build 1.3.exe

  • Size

    156KB

  • MD5

    ac0419c1af343890250f5fca61517f9d

  • SHA1

    d9a2685fbc661003b35b18bde3aa8a71e6a8d888

  • SHA256

    98c5b5e5f167fd7ba7a18652c83cbd8d2dfaf52e1dcbcd91853ef9a259042ab0

  • SHA512

    2b6bbe49d57efb14082d1d1bcf23645c3e0ccfbc5f69cc2c6d9df30ef1144b246b93e4ce8d6663afa7ee9ccb4307f52bcf9c37fe212c450846824ce6c7a1a6b1

  • SSDEEP

    1536:EgpHmVauo3mL/pDj6CSYebFNTf43joObhfT7zM:Egp4L/pHvQbFNmjo0FPzM

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

37.120.141.155

Mutex

modtool2

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    22914

  • startup_name

    WinSCVUpdate

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\frowning_tool build 1.3.exe
    "C:\Users\Admin\AppData\Local\Temp\frowning_tool build 1.3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4348
    • C:\Users\Admin\AppData\Roaming\XenoManager\frowning_tool build 1.3.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\frowning_tool build 1.3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:492
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "WinSCVUpdate" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB91E.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:3516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\frowning_tool build 1.3.exe.log
    Filesize

    226B

    MD5

    1294de804ea5400409324a82fdc7ec59

    SHA1

    9a39506bc6cadf99c1f2129265b610c69d1518f7

    SHA256

    494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

    SHA512

    033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB91E.tmp
    Filesize

    1KB

    MD5

    afb3de9c9257d84b80ae19eed399ff00

    SHA1

    fd59a58bcdf9c4623210a88dd931ca06364f1902

    SHA256

    c72543cc3e18540ec4eb5062524f83cde84368fe720ce30d1042f8ae81a5b76b

    SHA512

    ad40e43a99cc2ebe52501479749276fbe204596f3f8a3864f26206ea09d16c20bcd97208d3132ddd1b739e0b7d69a19f90db6c24372f4f24142be0c8fb67c04d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XenoManager\frowning_tool build 1.3.exe
    Filesize

    156KB

    MD5

    ac0419c1af343890250f5fca61517f9d

    SHA1

    d9a2685fbc661003b35b18bde3aa8a71e6a8d888

    SHA256

    98c5b5e5f167fd7ba7a18652c83cbd8d2dfaf52e1dcbcd91853ef9a259042ab0

    SHA512

    2b6bbe49d57efb14082d1d1bcf23645c3e0ccfbc5f69cc2c6d9df30ef1144b246b93e4ce8d6663afa7ee9ccb4307f52bcf9c37fe212c450846824ce6c7a1a6b1

    Download Submit

  • memory/492-22-0x0000000006000000-0x00000000065A6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/492-24-0x0000000005BD0000-0x0000000005CCC000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/492-15-0x0000000074D00000-0x00000000754B1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/492-17-0x0000000004C50000-0x0000000004C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/492-59-0x0000000004C50000-0x0000000004C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/492-20-0x00000000057E0000-0x0000000005846000-memory.dmp

    Filesize

    408KB

    Download

  • memory/492-21-0x0000000004C30000-0x0000000004C3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/492-58-0x0000000074D00000-0x00000000754B1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/492-23-0x0000000005B30000-0x0000000005BC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/492-31-0x0000000008080000-0x000000000811C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/492-25-0x0000000007CB0000-0x0000000007E72000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/492-26-0x0000000007B60000-0x0000000007BD6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/492-27-0x0000000005FA0000-0x0000000005FF0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/492-28-0x00000000083B0000-0x00000000088DC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/492-29-0x0000000007FC0000-0x0000000007FDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4348-16-0x0000000074D00000-0x00000000754B1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4348-0-0x0000000000C50000-0x0000000000C7E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4348-1-0x0000000074D00000-0x00000000754B1000-memory.dmp

    Filesize

    7.7MB

    Download