Technical Analysis of Xloader Versions 6 and 7
Essential information
- Published
- 28/01/2025 08:48
- Modified
- 28/01/2025 09:07
- Tags
- 2025-01-28 api resolution encryption formbook information stealer ntdll hook evasion obfuscation process injection xloader
- Related entities
- 200 observables, 1 intrusion sets (apt), 8 techniques (mitre), 2 malware
Description
This analysis examines the latest versions of Xloader malware, focusing on its advanced obfuscation techniques. Xloader, successor to Formbook, is an information stealer targeting browsers, email clients, and FTP applications. The malware employs complex encryption layers to protect critical code and data, complicating analysis efforts. Key features include multi-stage process injection, dynamic string and API resolution, and NTDLL hook evasion. Xloader's evolution shows increasing sophistication in concealing its operations, with each version introducing new obfuscation methods to evade detection and hinder reverse engineering.