Malware Analysis Report

2025-04-13 10:43

Sample ID 231230-ewxd6adhg9
Target 0e2f9d545ac87b4e9762ca50e2bf15ab
SHA256 fabf4628b3813230d81f4c1a4991a0fe21550362177dd7b451e80c6a839b6814
Tags
xloader q4kr loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fabf4628b3813230d81f4c1a4991a0fe21550362177dd7b451e80c6a839b6814

Threat Level: Known bad

The file 0e2f9d545ac87b4e9762ca50e2bf15ab was found to be: Known bad.

Malicious Activity Summary

xloader q4kr loader rat

Xloader

CustAttr .NET packer

Xloader payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-30 04:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 04:18

Reported

2023-12-31 19:19

Platform

win7-20231129-en

Max time kernel

148s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1680 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1356 wrote to memory of 2960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 2960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 2960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 1356 wrote to memory of 2960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe

"C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/1680-1-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/1680-0-0x0000000000E80000-0x0000000000FCC000-memory.dmp

memory/1680-2-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/1680-3-0x00000000004F0000-0x0000000000502000-memory.dmp

memory/1680-4-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/1680-5-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/1680-6-0x00000000051D0000-0x000000000524C000-memory.dmp

memory/1680-7-0x0000000000B00000-0x0000000000B34000-memory.dmp

memory/2564-14-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1680-15-0x00000000749F0000-0x00000000750DE000-memory.dmp

memory/2564-20-0x0000000000170000-0x0000000000180000-memory.dmp

memory/1356-21-0x0000000006CA0000-0x0000000006E15000-memory.dmp

memory/2564-19-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1356-18-0x0000000003090000-0x0000000003190000-memory.dmp

memory/2564-16-0x0000000000A40000-0x0000000000D43000-memory.dmp

memory/2564-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2564-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2564-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1356-26-0x0000000007620000-0x0000000007778000-memory.dmp

memory/2564-25-0x00000000002B0000-0x00000000002C0000-memory.dmp

memory/2564-24-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2960-28-0x0000000049D60000-0x0000000049DAC000-memory.dmp

memory/2960-29-0x00000000001D0000-0x00000000001F9000-memory.dmp

memory/2960-30-0x0000000002330000-0x0000000002633000-memory.dmp

memory/2960-27-0x0000000049D60000-0x0000000049DAC000-memory.dmp

memory/2960-31-0x00000000001D0000-0x00000000001F9000-memory.dmp

memory/2960-32-0x00000000020B0000-0x000000000213F000-memory.dmp

memory/1356-34-0x0000000007620000-0x0000000007778000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 04:18

Reported

2023-12-31 19:19

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

CustAttr .NET packer

Description Indicator Process Target
N/A N/A N/A N/A

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2252 set thread context of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2168 set thread context of 3488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Explorer.EXE
PID 4824 set thread context of 3488 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Explorer.EXE

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3488 wrote to memory of 4824 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3488 wrote to memory of 4824 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3488 wrote to memory of 4824 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 4824 wrote to memory of 2344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 2344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 2344 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe

"C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 185.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.klanblog.com udp
US 8.8.8.8:53 www.shivalikspiritualproducts.com udp
US 76.223.105.230:80 www.shivalikspiritualproducts.com tcp
US 8.8.8.8:53 230.105.223.76.in-addr.arpa udp
US 8.8.8.8:53 www.siteoficial-liquida.com udp
US 8.8.8.8:53 www.capwisefin.com udp
SG 148.66.136.1:80 www.capwisefin.com tcp
US 8.8.8.8:53 1.136.66.148.in-addr.arpa udp
US 8.8.8.8:53 www.hanoharuka.com udp
JP 157.7.107.22:80 www.hanoharuka.com tcp
US 8.8.8.8:53 22.107.7.157.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.smcenterbiz.com udp
US 162.253.34.182:80 www.smcenterbiz.com tcp
US 8.8.8.8:53 182.34.253.162.in-addr.arpa udp
US 8.8.8.8:53 www.oiop.online udp
US 8.8.8.8:53 www.racketpark.com udp
DE 217.160.0.252:80 www.racketpark.com tcp
US 8.8.8.8:53 252.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 www.kadrisells.com udp
US 8.8.8.8:53 www.bodymoisturizer.online udp

Files

memory/2252-1-0x0000000074860000-0x0000000075010000-memory.dmp

memory/2252-0-0x0000000000DE0000-0x0000000000F2C000-memory.dmp

memory/2252-2-0x00000000058D0000-0x000000000596C000-memory.dmp

memory/2252-4-0x0000000005AA0000-0x0000000005B32000-memory.dmp

memory/2252-3-0x0000000005FB0000-0x0000000006554000-memory.dmp

memory/2252-5-0x0000000005C60000-0x0000000005C70000-memory.dmp

memory/2252-7-0x0000000005C70000-0x0000000005CC6000-memory.dmp

memory/2252-6-0x00000000059C0000-0x00000000059CA000-memory.dmp

memory/2252-8-0x0000000003370000-0x0000000003382000-memory.dmp

memory/2252-9-0x0000000074860000-0x0000000075010000-memory.dmp

memory/2252-10-0x0000000005C60000-0x0000000005C70000-memory.dmp

memory/2252-11-0x00000000073C0000-0x000000000743C000-memory.dmp

memory/2252-12-0x0000000007440000-0x0000000007474000-memory.dmp

memory/2168-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2252-15-0x0000000074860000-0x0000000075010000-memory.dmp

memory/2168-16-0x0000000001860000-0x0000000001BAA000-memory.dmp

memory/2168-18-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3488-20-0x00000000089A0000-0x0000000008AB2000-memory.dmp

memory/2168-19-0x0000000001380000-0x0000000001390000-memory.dmp

memory/4824-21-0x0000000000C20000-0x0000000000C34000-memory.dmp

memory/4824-23-0x0000000000C20000-0x0000000000C34000-memory.dmp

memory/4824-24-0x0000000000C50000-0x0000000000C79000-memory.dmp

memory/4824-25-0x0000000002E30000-0x000000000317A000-memory.dmp

memory/4824-26-0x0000000000C50000-0x0000000000C79000-memory.dmp

memory/4824-28-0x0000000002BA0000-0x0000000002C2F000-memory.dmp

memory/3488-29-0x00000000089A0000-0x0000000008AB2000-memory.dmp

memory/3488-32-0x0000000008AC0000-0x0000000008C08000-memory.dmp

memory/3488-33-0x0000000008AC0000-0x0000000008C08000-memory.dmp

memory/3488-36-0x0000000008AC0000-0x0000000008C08000-memory.dmp