Malware Analysis Report

2025-08-05 13:51

Sample ID 220621-m7y15adbdn
Target AWB_811470484778.exe
SHA256 7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99
Tags
xloader h4st loader rat suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99

Threat Level: Known bad

The file AWB_811470484778.exe was found to be: Known bad.

Malicious Activity Summary

xloader h4st loader rat suricata

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader

Xloader Payload

Deletes itself

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-21 11:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 11:07

Reported

2022-06-21 11:09

Platform

win7-20220414-en

Max time kernel

151s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1856 set thread context of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1672 set thread context of 1248 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Windows\Explorer.EXE
PID 1988 set thread context of 1248 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\Explorer.EXE

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\raserver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1856 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1856 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1856 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1856 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1856 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1856 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 1248 wrote to memory of 1988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1248 wrote to memory of 1988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1248 wrote to memory of 1988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1248 wrote to memory of 1988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1988 wrote to memory of 1948 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1948 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1948 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1948 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

C:\Windows\SysWOW64\raserver.exe

"C:\Windows\SysWOW64\raserver.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.hyiptron.com udp
US 8.8.8.8:53 www.doitlive.online udp
US 66.96.162.136:80 www.doitlive.online tcp
US 8.8.8.8:53 www.dvfdressoutlet.com udp
HK 154.208.194.24:80 www.dvfdressoutlet.com tcp
US 8.8.8.8:53 www.mayclaim.com udp
US 34.102.136.180:80 www.mayclaim.com tcp
US 8.8.8.8:53 www.puzzlelux.com udp
US 15.197.142.173:80 www.puzzlelux.com tcp
US 8.8.8.8:53 www.jenaeeaginshair.com udp
US 198.54.117.217:80 www.jenaeeaginshair.com tcp
US 8.8.8.8:53 www.hdwiz.online udp
US 8.8.8.8:53 www.detectorlifestyle.com udp
ES 217.116.0.191:80 www.detectorlifestyle.com tcp
US 8.8.8.8:53 www.sjczyw.com udp
CN 47.108.172.180:80 www.sjczyw.com tcp
US 8.8.8.8:53 www.unitedkingdomvoip.site udp
US 104.21.14.217:80 www.unitedkingdomvoip.site tcp
US 8.8.8.8:53 www.fabianmarin.com udp
US 8.8.8.8:53 www.tbrme.com udp
GB 94.136.40.51:80 www.tbrme.com tcp

Files

memory/1856-54-0x0000000001160000-0x00000000011D8000-memory.dmp

memory/1856-55-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

memory/1856-56-0x0000000000630000-0x000000000063E000-memory.dmp

memory/1856-57-0x0000000005C60000-0x0000000005CC8000-memory.dmp

memory/1856-58-0x0000000000AA0000-0x0000000000AD0000-memory.dmp

memory/1672-59-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1672-60-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1672-62-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1672-63-0x000000000041D470-mapping.dmp

memory/1672-65-0x00000000009C0000-0x0000000000CC3000-memory.dmp

memory/1672-66-0x0000000000130000-0x0000000000141000-memory.dmp

memory/1248-67-0x0000000006070000-0x000000000614A000-memory.dmp

memory/1672-69-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1988-68-0x0000000000000000-mapping.dmp

memory/1948-71-0x0000000000000000-mapping.dmp

memory/1988-72-0x00000000006A0000-0x00000000006BC000-memory.dmp

memory/1988-73-0x00000000000C0000-0x00000000000E9000-memory.dmp

memory/1988-74-0x0000000002050000-0x0000000002353000-memory.dmp

memory/1988-75-0x0000000001D80000-0x0000000001E10000-memory.dmp

memory/1248-76-0x0000000006C70000-0x0000000006DDA000-memory.dmp

memory/1988-77-0x00000000000C0000-0x00000000000E9000-memory.dmp

memory/1248-78-0x0000000006C70000-0x0000000006DDA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 11:07

Reported

2022-06-21 11:09

Platform

win10v2004-20220414-en

Max time kernel

147s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 536 set thread context of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 3944 set thread context of 672 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Windows\Explorer.EXE
PID 4600 set thread context of 672 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 536 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 536 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 536 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 536 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 536 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
PID 672 wrote to memory of 4600 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 672 wrote to memory of 4600 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 672 wrote to memory of 4600 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 4600 wrote to memory of 4836 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4836 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4836 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe

"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
GB 173.222.211.107:80 tcp
GB 173.222.211.107:80 tcp
IE 13.69.239.72:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 www.skateboardlovers.com udp
US 209.99.64.43:80 www.skateboardlovers.com tcp
US 8.8.8.8:53 www.unitedkingdomvoip.site udp
US 172.67.160.153:80 www.unitedkingdomvoip.site tcp
US 8.8.8.8:53 www.sjsteinhardt.com udp
US 15.197.142.173:80 www.sjsteinhardt.com tcp
US 8.8.8.8:53 www.jenaeeaginshair.com udp
US 198.54.117.212:80 www.jenaeeaginshair.com tcp
US 8.8.8.8:53 www.angellogordon.com udp
GB 2.57.90.16:80 www.angellogordon.com tcp
US 8.8.8.8:53 www.arkdia.xyz udp
US 198.54.117.218:80 www.arkdia.xyz tcp
US 8.8.8.8:53 www.sinergiberkaryabersama.com udp
ID 103.145.226.75:80 www.sinergiberkaryabersama.com tcp
NL 104.123.41.162:80 tcp
US 8.8.8.8:53 www.dskensho343.xyz udp
JP 150.95.255.38:80 www.dskensho343.xyz tcp
US 8.8.8.8:53 www.freshiestuning.com udp
US 199.34.228.189:80 www.freshiestuning.com tcp
US 8.8.8.8:53 www.newleafremodel.com udp
US 34.102.136.180:80 www.newleafremodel.com tcp
US 8.8.8.8:53 www.fzl-fs.com udp
US 173.232.23.215:80 www.fzl-fs.com tcp
US 8.8.8.8:53 www.affordablebathroomsbyfrank.net udp
US 199.59.243.220:80 www.affordablebathroomsbyfrank.net tcp
US 8.8.8.8:53 www.hobartiamusic.com udp
US 34.102.136.180:80 www.hobartiamusic.com tcp
US 8.8.8.8:53 www.fiercefantasyshop.com udp
CA 23.227.38.74:80 www.fiercefantasyshop.com tcp
US 8.8.8.8:53 www.puzzlelux.com udp
US 15.197.142.173:80 www.puzzlelux.com tcp

Files

memory/536-130-0x0000000000080000-0x00000000000F8000-memory.dmp

memory/536-131-0x00000000051A0000-0x0000000005744000-memory.dmp

memory/536-132-0x0000000004AB0000-0x0000000004B42000-memory.dmp

memory/536-133-0x0000000004A80000-0x0000000004A8A000-memory.dmp

memory/536-134-0x0000000008460000-0x00000000084FC000-memory.dmp

memory/3944-135-0x0000000000000000-mapping.dmp

memory/3944-136-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3944-138-0x0000000001270000-0x00000000015BA000-memory.dmp

memory/672-140-0x0000000007670000-0x0000000007796000-memory.dmp

memory/3944-139-0x0000000001170000-0x0000000001181000-memory.dmp

memory/4600-141-0x0000000000000000-mapping.dmp

memory/3944-142-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4836-143-0x0000000000000000-mapping.dmp

memory/4600-144-0x0000000000FA0000-0x00000000013D3000-memory.dmp

memory/4600-146-0x0000000003020000-0x000000000336A000-memory.dmp

memory/4600-145-0x0000000000AC0000-0x0000000000AE9000-memory.dmp

memory/4600-147-0x0000000002CD0000-0x0000000002D60000-memory.dmp

memory/672-148-0x0000000003360000-0x00000000033F6000-memory.dmp

memory/4600-149-0x0000000000AC0000-0x0000000000AE9000-memory.dmp

memory/672-150-0x0000000003360000-0x00000000033F6000-memory.dmp