Malware Analysis Report

2025-06-16 05:12

Sample ID 230129-y8hw3sde71
Target d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2
SHA256 d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2
Tags
xloader e68n loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2

Threat Level: Known bad

The file d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2 was found to be: Known bad.

Malicious Activity Summary

xloader e68n loader rat

Xloader

CustAttr .NET packer

Xloader payload

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-01-29 20:27

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 20:27

Reported

2023-01-29 20:29

Platform

win10v2004-20220812-en

Max time kernel

130s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"

Signatures

Xloader

loader xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 4556 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 4556 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 4556 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 4556 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 4556 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe

"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"

C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe

"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 13.89.179.8:443 tcp
N/A 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
N/A 8.238.20.126:80 tcp

Files

memory/4556-132-0x0000000000500000-0x00000000005FC000-memory.dmp

memory/4556-133-0x0000000004F90000-0x000000000502C000-memory.dmp

memory/4556-134-0x0000000005690000-0x0000000005C34000-memory.dmp

memory/4556-135-0x00000000050E0000-0x0000000005172000-memory.dmp

memory/4556-136-0x0000000005030000-0x000000000503A000-memory.dmp

memory/4556-137-0x0000000005180000-0x00000000051D6000-memory.dmp

memory/1700-138-0x0000000000000000-mapping.dmp

memory/1700-139-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1700-140-0x00000000017B0000-0x0000000001AFA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 20:27

Reported

2023-01-29 20:29

Platform

win7-20221111-en

Max time kernel

103s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"

Signatures

Xloader

loader xloader

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 1232 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 1232 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 1232 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 1232 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 1232 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
PID 1232 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe

"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"

C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe

"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"

Network

N/A

Files

memory/1232-54-0x00000000012A0000-0x000000000139C000-memory.dmp

memory/1232-55-0x00000000760B1000-0x00000000760B3000-memory.dmp

memory/1232-56-0x0000000000390000-0x0000000000398000-memory.dmp

memory/1232-57-0x0000000001250000-0x00000000012A6000-memory.dmp

memory/1500-58-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1500-59-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1500-61-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1500-62-0x000000000041CFC0-mapping.dmp

memory/1500-63-0x00000000008D0000-0x0000000000BD3000-memory.dmp