Malware Analysis Report

2025-06-16 05:13

Sample ID 230120-wttc6ahb79
Target 0.exe
SHA256 223430a82147cb3fdb9c50c0f133c766c42a24ac655406dd908d198a8334dcda
Tags
rat 2bun xloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

223430a82147cb3fdb9c50c0f133c766c42a24ac655406dd908d198a8334dcda

Threat Level: Known bad

The file 0.exe was found to be: Known bad.

Malicious Activity Summary

rat 2bun xloader loader

Xloader payload

Xloader

Xloader family

Xloader payload

Deletes itself

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-01-20 18:13

Signatures

Xloader family

xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-20 18:13

Reported

2023-01-20 18:15

Platform

win7-20221111-en

Max time kernel

97s

Max time network

96s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1708 set thread context of 1228 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\Explorer.EXE
PID 1772 set thread context of 1228 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 1772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1228 wrote to memory of 1772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1228 wrote to memory of 1772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1228 wrote to memory of 1772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 1772 wrote to memory of 948 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 948 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 948 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 948 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0.exe

"C:\Users\Admin\AppData\Local\Temp\0.exe"

C:\Windows\SysWOW64\mstsc.exe

"C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\0.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.1forall.info udp
N/A 8.8.8.8:53 www.tpctpc.xyz udp
N/A 8.8.8.8:53 www.chou0212.com udp
N/A 8.8.8.8:53 www.las3curiosas.com udp
N/A 8.8.8.8:53 www.xn--j1ad.net udp
N/A 8.8.8.8:53 www.tacticalbow.us udp
N/A 34.102.136.180:80 www.tacticalbow.us tcp
N/A 8.8.8.8:53 www.huecoffeelab.com udp
N/A 23.227.38.74:80 www.huecoffeelab.com tcp
N/A 8.8.8.8:53 www.lovecommunityllc.net udp
N/A 8.8.8.8:53 www.skr0212.xyz udp
N/A 8.8.8.8:53 www.xulonrobotics.com udp
N/A 91.184.0.100:80 www.xulonrobotics.com tcp
N/A 8.8.8.8:53 www.soyredy.com udp
N/A 162.241.61.208:80 www.soyredy.com tcp

Files

memory/1708-54-0x0000000000840000-0x0000000000B43000-memory.dmp

memory/1708-55-0x0000000000280000-0x0000000000291000-memory.dmp

memory/1228-56-0x0000000004BC0000-0x0000000004CE9000-memory.dmp

memory/1772-58-0x0000000075D51000-0x0000000075D53000-memory.dmp

memory/1772-57-0x0000000000000000-mapping.dmp

memory/948-59-0x0000000000000000-mapping.dmp

memory/1772-61-0x00000000000C0000-0x00000000000E9000-memory.dmp

memory/1772-60-0x0000000000EF0000-0x0000000000FF4000-memory.dmp

memory/1772-62-0x0000000000B90000-0x0000000000E93000-memory.dmp

memory/1228-64-0x0000000004CF0000-0x0000000004E0E000-memory.dmp

memory/1772-63-0x0000000000990000-0x0000000000A20000-memory.dmp

memory/1772-65-0x00000000000C0000-0x00000000000E9000-memory.dmp

memory/1228-66-0x0000000004CF0000-0x0000000004E0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-20 18:13

Reported

2023-01-20 18:14

Platform

win10v2004-20221111-en

Max time kernel

93s

Max time network

93s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5092 set thread context of 2492 N/A C:\Users\Admin\AppData\Local\Temp\0.exe C:\Windows\Explorer.EXE
PID 3300 set thread context of 2492 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 3300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\WWAHost.exe
PID 2492 wrote to memory of 3300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\WWAHost.exe
PID 2492 wrote to memory of 3300 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\WWAHost.exe
PID 3300 wrote to memory of 1144 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 1144 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 1144 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0.exe

"C:\Users\Admin\AppData\Local\Temp\0.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\WWAHost.exe

"C:\Windows\SysWOW64\WWAHost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\0.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.awataraubud.com udp
N/A 103.224.212.222:80 www.awataraubud.com tcp
N/A 8.8.8.8:53 www.chou0212.com udp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 www.parcels12.cc udp
N/A 8.8.8.8:53 www.telenor-no.com udp
N/A 20.189.173.11:443 tcp
N/A 8.8.8.8:53 www.digitalmarmot.com udp
N/A 8.8.8.8:53 www.shungiteglobal.com udp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp
N/A 8.8.8.8:53 www.rocotemenevi.quest udp
N/A 8.8.8.8:53 www.keenflat.com udp
N/A 8.8.8.8:53 www.worldscoolesthifi.com udp
N/A 76.223.105.230:80 www.worldscoolesthifi.com tcp
N/A 8.8.8.8:53 www.zenfusion.art udp
N/A 8.8.8.8:53 www.1712fillmore.com udp
N/A 8.8.8.8:53 www.skr0212.xyz udp
N/A 8.8.8.8:53 www.gabriellasexwale.com udp
N/A 41.203.18.78:80 www.gabriellasexwale.com tcp
N/A 8.8.8.8:53 www.unviajeinsospechado.com udp
N/A 142.250.179.211:80 www.unviajeinsospechado.com tcp

Files

memory/5092-132-0x0000000000B40000-0x0000000000E8A000-memory.dmp

memory/5092-133-0x00000000005E0000-0x00000000005F1000-memory.dmp

memory/2492-134-0x00000000033C0000-0x0000000003500000-memory.dmp

memory/3300-135-0x0000000000000000-mapping.dmp

memory/1144-136-0x0000000000000000-mapping.dmp

memory/3300-138-0x0000000000140000-0x0000000000169000-memory.dmp

memory/3300-137-0x00000000009B0000-0x0000000000A8C000-memory.dmp

memory/3300-139-0x00000000011F0000-0x000000000153A000-memory.dmp

memory/3300-140-0x0000000000F20000-0x0000000000FB0000-memory.dmp

memory/2492-141-0x0000000003500000-0x00000000035F7000-memory.dmp

memory/3300-142-0x0000000000140000-0x0000000000169000-memory.dmp

memory/2492-143-0x0000000003500000-0x00000000035F7000-memory.dmp