Malware Analysis Report

2025-08-05 13:51

Sample ID 220621-mdrpysfbg2
Target 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21
SHA256 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21
Tags
xloader a2es loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21

Threat Level: Known bad

The file 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21 was found to be: Known bad.

Malicious Activity Summary

xloader a2es loader rat

Xloader

Xloader Payload

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-21 10:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 10:21

Reported

2022-06-21 10:23

Platform

win10-20220414-en

Max time kernel

57s

Max time network

78s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe"

Signatures

Xloader

loader xloader

Xloader Payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe
PID 4692 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe
PID 4692 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe
PID 4692 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe
PID 4692 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe
PID 4692 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe

"C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe"

C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe

"C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe"

Network

Country Destination Domain Proto
US 20.42.65.89:443 tcp
US 93.184.221.240:80 tcp

Files

memory/4692-117-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-118-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-119-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-120-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-121-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-122-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-123-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-124-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-125-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-126-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-127-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-129-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-130-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-131-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-128-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-132-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-133-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-135-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-137-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-140-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-139-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-138-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-136-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-134-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-141-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-142-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-144-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-143-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-146-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-145-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-147-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-148-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-149-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-150-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-151-0x0000000000820000-0x000000000089C000-memory.dmp

memory/4692-152-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-153-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-154-0x0000000005680000-0x0000000005B7E000-memory.dmp

memory/4692-155-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-156-0x00000000050B0000-0x0000000005142000-memory.dmp

memory/4692-157-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-158-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-159-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-161-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-163-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-164-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-165-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-162-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-160-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-166-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-167-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-168-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-169-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-170-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-171-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-172-0x0000000005160000-0x000000000516A000-memory.dmp

memory/4692-173-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-174-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-175-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-176-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-177-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-178-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-179-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-180-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-182-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-184-0x0000000005320000-0x000000000532E000-memory.dmp

memory/4692-183-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-181-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-185-0x0000000077670000-0x00000000777FE000-memory.dmp

memory/4692-186-0x0000000008B10000-0x0000000008B7A000-memory.dmp

memory/4692-187-0x0000000008C30000-0x0000000008CCC000-memory.dmp

memory/4692-188-0x0000000008BA0000-0x0000000008BD2000-memory.dmp

memory/4200-190-0x000000000041F2B0-mapping.dmp

memory/4200-197-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4200-198-0x0000000001310000-0x0000000001630000-memory.dmp