Malware Analysis Report

2025-08-10 19:22

Sample ID 220616-ltq8pagcg6
Target 216f40647e979192eb61192ce3cd8f26
SHA256 80a37f830c71b22ed3225838f7e8b17f7b5ff5b98a8085661db151df14304fbb
Tags
xloader tn61 loader rat suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80a37f830c71b22ed3225838f7e8b17f7b5ff5b98a8085661db151df14304fbb

Threat Level: Known bad

The file 216f40647e979192eb61192ce3cd8f26 was found to be: Known bad.

Malicious Activity Summary

xloader tn61 loader rat suricata

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Suspicious use of SetThreadContext

N/A.

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-16 09:49

Signatures

N/A.

dropper
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-16 09:49

Reported

2022-06-16 09:54

Platform

win7-20220414-en

Max time kernel

152s

Max time network

195s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\help.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 964 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 964 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 964 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 964 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 964 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 964 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1384 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1384 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1384 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1384 wrote to memory of 1976 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1976 wrote to memory of 2028 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2028 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2028 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 1976 wrote to memory of 2028 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\autofmt.exe

"C:\Windows\SysWOW64\autofmt.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\help.exe

"C:\Windows\SysWOW64\help.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dacdem.com udp
US 8.8.8.8:53 www.valleyinnswat.com udp
US 217.79.245.245:80 www.valleyinnswat.com tcp
US 8.8.8.8:53 www.secure-remove-devices.com udp
US 8.8.8.8:53 www.davegwatkin.com udp
US 8.8.8.8:53 www.zootowngravel.com udp
US 8.8.8.8:53 www.6888tlbb.xyz udp
US 8.8.8.8:53 www.pjhxsl.com udp
CN 23.251.62.137:80 www.pjhxsl.com tcp
US 8.8.8.8:53 www.blizzardboy.net udp
US 192.161.187.200:80 www.blizzardboy.net tcp
US 8.8.8.8:53 www.shahanhan.com udp
US 154.7.75.47:80 www.shahanhan.com tcp
US 8.8.8.8:53 www.street-art-ink.com udp
CH 217.26.61.86:80 www.street-art-ink.com tcp
US 8.8.8.8:53 www.sepetcin.com udp
TR 185.250.243.163:80 www.sepetcin.com tcp
US 8.8.8.8:53 www.stilghar.com udp
US 107.149.171.102:80 www.stilghar.com tcp

Files

memory/964-54-0x0000000000880000-0x00000000008BC000-memory.dmp

memory/964-55-0x0000000000500000-0x0000000000534000-memory.dmp

memory/1804-57-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1804-56-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1804-60-0x000000000041F2C0-mapping.dmp

memory/1804-59-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1804-62-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1804-63-0x0000000000A60000-0x0000000000D63000-memory.dmp

memory/1804-64-0x0000000000290000-0x00000000002A1000-memory.dmp

memory/1384-65-0x0000000004AE0000-0x0000000004C50000-memory.dmp

memory/1804-67-0x0000000000330000-0x0000000000341000-memory.dmp

memory/1384-68-0x0000000004C50000-0x0000000004DBB000-memory.dmp

memory/1976-69-0x0000000000000000-mapping.dmp

memory/1804-70-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1976-72-0x0000000000080000-0x00000000000AB000-memory.dmp

memory/1976-71-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

memory/1976-73-0x00000000007C0000-0x0000000000AC3000-memory.dmp

memory/2028-74-0x0000000000000000-mapping.dmp

memory/1976-75-0x00000000005D0000-0x0000000000660000-memory.dmp

memory/1384-76-0x0000000006A20000-0x0000000006BA8000-memory.dmp

memory/1976-77-0x0000000000080000-0x00000000000AB000-memory.dmp

memory/1384-78-0x0000000006A20000-0x0000000006BA8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-16 09:49

Reported

2022-06-16 09:54

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

162s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1860 set thread context of 2408 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2408 set thread context of 2640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Explorer.EXE
PID 1984 set thread context of 2640 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1860 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2640 wrote to memory of 1984 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 2640 wrote to memory of 1984 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 2640 wrote to memory of 1984 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\msdt.exe
PID 1984 wrote to memory of 4072 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 4072 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 4072 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

C:\Windows\SysWOW64\msdt.exe

"C:\Windows\SysWOW64\msdt.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"

Network

Country Destination Domain Proto
US 20.189.173.1:443 tcp
GB 92.123.140.25:80 tcp
US 8.8.8.8:53 www.stilghar.com udp
US 107.149.171.102:80 www.stilghar.com tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 www.distritoxermar.com udp
HK 168.76.184.139:80 www.distritoxermar.com tcp
US 8.8.8.8:53 www.drecibo.com udp
US 31.170.160.68:80 www.drecibo.com tcp
US 8.8.8.8:53 www.drecibo.com udp
US 31.170.160.68:80 www.drecibo.com tcp
US 8.8.8.8:53 www.yaoih.com udp
HK 45.199.116.81:80 www.yaoih.com tcp
US 8.8.8.8:53 www.banlyeojob.com udp
KR 222.122.118.13:80 www.banlyeojob.com tcp
US 8.8.8.8:53 www.banlyeojob.com udp
KR 222.122.118.13:80 www.banlyeojob.com tcp
US 8.8.8.8:53 www.museatthemill.com udp
US 172.67.138.219:80 www.museatthemill.com tcp
US 8.8.8.8:53 www.totalvirtue.com udp
US 13.56.33.8:80 www.totalvirtue.com tcp

Files

memory/1860-130-0x00000000006C0000-0x00000000006FC000-memory.dmp

memory/2408-131-0x0000000000000000-mapping.dmp

memory/2408-132-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2408-134-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2408-135-0x0000000001910000-0x0000000001C5A000-memory.dmp

memory/2408-136-0x0000000001410000-0x0000000001421000-memory.dmp

memory/2640-137-0x0000000007B70000-0x0000000007CB5000-memory.dmp

memory/1984-138-0x0000000000000000-mapping.dmp

memory/1984-139-0x00000000009B0000-0x0000000000A07000-memory.dmp

memory/1984-140-0x0000000000F10000-0x0000000000F3B000-memory.dmp

memory/4072-141-0x0000000000000000-mapping.dmp

memory/1984-142-0x00000000030B0000-0x00000000033FA000-memory.dmp

memory/1984-143-0x0000000002EE0000-0x0000000002F70000-memory.dmp

memory/2640-144-0x0000000008F20000-0x0000000009052000-memory.dmp

memory/1984-145-0x0000000000F10000-0x0000000000F3B000-memory.dmp

memory/2640-146-0x0000000008F20000-0x0000000009052000-memory.dmp