Malware Analysis Report

2025-08-05 13:52

Sample ID 220621-m5dx6sfdc7
Target AWB_811470484778.exe
SHA256 7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99
Tags
xloader h4st loader rat suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99

Threat Level: Known bad

The file AWB_811470484778.exe was found to be: Known bad.

Malicious Activity Summary

xloader h4st loader rat suricata

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Deletes itself

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-21 11:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 11:02

Reported

2022-06-21 11:05

Platform

win7-20220414-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1092 set thread context of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1120 set thread context of 1276 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Windows\Explorer.EXE
PID 968 set thread context of 1276 N/A C:\Windows\SysWOW64\help.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\help.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1092 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1092 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1092 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1092 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1092 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1092 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1276 wrote to memory of 968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1276 wrote to memory of 968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1276 wrote to memory of 968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1276 wrote to memory of 968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 968 wrote to memory of 596 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 596 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 596 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 596 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

C:\Windows\SysWOW64\help.exe

"C:\Windows\SysWOW64\help.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.tbrme.com udp
GB 94.136.40.51:80 www.tbrme.com tcp
US 8.8.8.8:53 www.fzl-fs.com udp
US 173.232.23.215:80 www.fzl-fs.com tcp
US 8.8.8.8:53 www.sinergiberkaryabersama.com udp
ID 103.145.226.75:80 www.sinergiberkaryabersama.com tcp
US 8.8.8.8:53 www.globalfrances.com udp
US 185.230.63.161:80 www.globalfrances.com tcp
US 8.8.8.8:53 www.takeyourshot3500.pro udp
US 8.8.8.8:53 www.newleafremodel.com udp
US 34.102.136.180:80 www.newleafremodel.com tcp
US 8.8.8.8:53 www.eventsp.xyz udp
US 8.8.8.8:53 www.newleafremodel.com udp
US 34.102.136.180:80 www.newleafremodel.com tcp
US 8.8.8.8:53 www.christinesyquia.com udp
US 8.8.8.8:53 www.jenaeeaginshair.com udp
US 198.54.117.210:80 www.jenaeeaginshair.com tcp
US 8.8.8.8:53 www.stanegroupe.com udp
FR 213.186.33.5:80 www.stanegroupe.com tcp

Files

memory/1092-54-0x0000000000F20000-0x0000000000F98000-memory.dmp

memory/1092-55-0x0000000075F61000-0x0000000075F63000-memory.dmp

memory/1092-56-0x00000000004B0000-0x00000000004BE000-memory.dmp

memory/1092-57-0x0000000000EB0000-0x0000000000F18000-memory.dmp

memory/1092-58-0x0000000000B80000-0x0000000000BB0000-memory.dmp

memory/1120-59-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1120-60-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1120-62-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1120-63-0x000000000041D470-mapping.dmp

memory/1120-65-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1120-66-0x0000000000770000-0x0000000000A73000-memory.dmp

memory/1276-68-0x0000000004C60000-0x0000000004D23000-memory.dmp

memory/1120-67-0x0000000000210000-0x0000000000221000-memory.dmp

memory/968-69-0x0000000000000000-mapping.dmp

memory/968-70-0x0000000000C60000-0x0000000000C66000-memory.dmp

memory/968-71-0x0000000000080000-0x00000000000A9000-memory.dmp

memory/596-72-0x0000000000000000-mapping.dmp

memory/968-73-0x0000000000910000-0x0000000000C13000-memory.dmp

memory/968-74-0x0000000000440000-0x00000000004D0000-memory.dmp

memory/1276-75-0x0000000004EE0000-0x000000000506D000-memory.dmp

memory/968-76-0x0000000000080000-0x00000000000A9000-memory.dmp

memory/1276-77-0x0000000004EE0000-0x000000000506D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 11:02

Reported

2022-06-21 11:05

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2268 set thread context of 4148 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 4148 set thread context of 2668 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Windows\Explorer.EXE
PID 1300 set thread context of 2668 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 2268 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 2268 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 2268 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 2268 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 2268 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 2268 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 2268 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 2268 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 2668 wrote to memory of 1300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 2668 wrote to memory of 1300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 2668 wrote to memory of 1300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\netsh.exe
PID 1300 wrote to memory of 4424 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 4424 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 4424 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

Network

Country Destination Domain Proto
NL 20.190.160.67:443 tcp
NL 20.190.160.136:443 tcp
US 52.182.143.208:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 87.248.202.1:80 tcp
NL 20.190.160.71:443 tcp
US 8.8.8.8:53 www.skateboardlovers.com udp
US 209.99.64.43:80 www.skateboardlovers.com tcp
US 8.8.8.8:53 www.69988.club udp
HK 103.250.6.230:80 www.69988.club tcp
US 8.8.8.8:53 www.freshiestuning.com udp
US 199.34.228.189:80 www.freshiestuning.com tcp
US 8.8.8.8:53 www.korenshop.com udp
SG 52.221.125.89:80 www.korenshop.com tcp
US 8.8.8.8:53 www.forge21.xyz udp
SG 47.241.169.27:80 www.forge21.xyz tcp
US 8.8.8.8:53 www.pokerdominogame.com udp
US 172.67.217.21:80 www.pokerdominogame.com tcp
US 8.8.8.8:53 www.cactus-aio.com udp
US 8.8.8.8:53 www.cabanatvs.com udp
US 8.8.8.8:53 www.puzzlelux.com udp
US 15.197.142.173:80 www.puzzlelux.com tcp
US 8.8.8.8:53 www.lens-experts.com udp
US 8.8.8.8:53 www.hdwiz.online udp
US 8.8.8.8:53 www.sjsteinhardt.com udp
US 15.197.142.173:80 www.sjsteinhardt.com tcp
US 8.8.8.8:53 www.jenaeeaginshair.com udp
US 198.54.117.212:80 www.jenaeeaginshair.com tcp
US 8.8.8.8:53 www.doitlive.online udp
US 66.96.162.136:80 www.doitlive.online tcp

Files

memory/2268-130-0x00000000004A0000-0x0000000000518000-memory.dmp

memory/2268-131-0x0000000005440000-0x00000000059E4000-memory.dmp

memory/2268-132-0x0000000004F30000-0x0000000004FC2000-memory.dmp

memory/2268-133-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

memory/2268-134-0x0000000008BD0000-0x0000000008C6C000-memory.dmp

memory/1200-135-0x0000000000000000-mapping.dmp

memory/4148-136-0x0000000000000000-mapping.dmp

memory/4148-137-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4148-139-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4148-140-0x00000000011C0000-0x000000000150A000-memory.dmp

memory/2668-142-0x00000000078C0000-0x000000000797D000-memory.dmp

memory/4148-141-0x0000000000D00000-0x0000000000D11000-memory.dmp

memory/1300-143-0x0000000000000000-mapping.dmp

memory/1300-144-0x0000000001370000-0x000000000138E000-memory.dmp

memory/1300-145-0x0000000000D00000-0x0000000000D29000-memory.dmp

memory/4424-146-0x0000000000000000-mapping.dmp

memory/1300-147-0x00000000016F0000-0x0000000001A3A000-memory.dmp

memory/1300-148-0x00000000012C0000-0x0000000001350000-memory.dmp

memory/1300-149-0x0000000000D00000-0x0000000000D29000-memory.dmp

memory/2668-150-0x0000000007E90000-0x0000000007F6D000-memory.dmp

memory/2668-151-0x0000000007E90000-0x0000000007F6D000-memory.dmp