{ "name": "Technical Analysis of Xloader Versions 6 and 7", "slug": "technical-analysis-of-xloader-versions-6-and-7", "description": "This analysis examines the latest versions of Xloader malware, focusing on its advanced obfuscation techniques. Xloader, successor to Formbook, is an information stealer targeting browsers, email clients, and FTP applications. The malware employs complex encryption layers to protect critical code and data, complicating analysis efforts. Key features include multi-stage process injection, dynamic string and API resolution, and NTDLL hook evasion. Xloader's evolution shows increasing sophistication in concealing its operations, with each version introducing new obfuscation methods to evade detection and hinder reverse engineering.", "published": "2025-01-28T07:48:50+00:00", "created_at": "2025-01-28T07:48:50+00:00", "modified_at": "2025-01-28T08:07:38+00:00", "created_at_opencti": "2025-01-28T07:48:50+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-01-28", "api resolution", "encryption", "formbook", "information stealer", "ntdll hook evasion", "obfuscation", "process injection", "xloader" ], "related_entities": { "observables": [ { "id": "", "name": "www.zwetststuren.cfd" }, { "id": "", "name": "www.yu35n.top" }, { "id": "", "name": "www.yourhomecopilot.online" }, { "id": "", "name": "www.xfgqbh.site" }, { "id": "", "name": "www.xediedie.icu" }, { "id": "", "name": "www.womenscalshion.com" }, { "id": "", "name": "www.weberze.com" }, { "id": "", "name": "www.weatherbook.live" }, { "id": "", "name": "www.wdeb18.top" }, { "id": "", "name": "www.wdcb30.top" }, { "id": "", "name": "www.vegastinyhomes.net" }, { "id": "", "name": "www.uxzl.site" }, { "id": "", "name": "www.useanecdotenow.tech" }, { "id": "", "name": "www.tupinkeept.cfd" }, { "id": "", "name": "www.trisixnine.net" }, { "id": "", "name": "www.trapkitten.website" }, { "id": "", "name": "www.tracy.club" }, { "id": "", "name": "www.torex33.online" }, { "id": "", "name": "www.tk254kr6rwr7mjtru.com" }, { "id": "", "name": "www.theproselytizer.net" }, { "id": "", "name": "www.tehranrizcomputer.com" }, { "id": "", "name": "www.solar-windturbine.life" }, { "id": "", "name": "www.softillery.info" }, { "id": "", "name": "www.serverplay.live" }, { "id": "", "name": "www.scwspark.com" }, { "id": "", "name": "www.sazekents.cfd" }, { "id": "", "name": "www.sathyfe.com" }, { "id": "", "name": "www.rtpngk.xyz" }, { "id": "", "name": "www.sansensors.info" }, { "id": "", "name": "www.rtpgaruda888resmi.xyz" }, { "id": "", "name": "www.royalkredit.online" }, { "id": "", "name": "www.roundhaygardenscene.com" }, { "id": "", "name": "www.rockbull.pro" }, { "id": "", "name": "www.resumeyourway.info" }, { "id": "", "name": "www.revelationfithub.com" }, { "id": "", "name": "www.queima.shop" }, { "id": "", "name": "www.projectimprov.com" }, { "id": "", "name": "www.promasterev.shop" }, { "id": "", "name": "www.portfutures.asia" }, { "id": "", "name": "www.polarmuseum.info" }, { "id": "", "name": "www.pinnaclebyte.info" }, { "id": "", "name": "www.platinumkitchens.info" }, { "id": "", "name": "www.pethut.shop" }, { "id": "", "name": "www.pachuco.supply" }, { "id": "", "name": "www.ok2yu.us" }, { "id": "", "name": "www.ohio-adr.net" }, { "id": "", "name": "www.ntn.solar" }, { "id": "", "name": "www.nojamaica.net" }, { "id": "", "name": "www.ngmr.xyz" }, { "id": "", "name": "www.myhosting.co.in" }, { "id": "", "name": "www.mscfoundation.info" }, { "id": "", "name": "www.moncoop.coop" }, { "id": "", "name": "www.mechecker.life" }, { "id": "", "name": "www.meg21c.top" }, { "id": "", "name": "www.mc9uh8d70.site" }, { "id": "", "name": "www.markthing.site" }, { "id": "", "name": "www.mag-flex.com" }, { "id": "", "name": "www.luismoreno.monster" }, { "id": "", "name": "www.lriz.site" }, { "id": "", "name": "www.lollybowly.com" }, { "id": "", "name": "www.lojashelp.video" }, { "id": "", "name": "www.limitlesssky.org" }, { "id": "", "name": "www.livemarkat.live" }, { "id": "", "name": "www.lifedrawingbristol.co.uk" }, { "id": "", "name": "www.lenaguillemette.com" }, { "id": "", "name": "www.kx507981.shop" }, { "id": "", "name": "www.komart.shop" }, { "id": "", "name": "www.kabaribukota.press" }, { "id": "", "name": "www.kavanzi.com" }, { "id": "", "name": "www.jarvisandbrown.com" }, { "id": "", "name": "www.jamesgadzikmd.com" }, { "id": "", "name": "www.iwin.exposed" }, { "id": "", "name": "www.inf30027group23.xyz" }, { "id": "", "name": "www.hk9.xyz" }, { "id": "", "name": "www.huemanstudio.today" }, { "id": "", "name": "www.hentaistgma.net" }, { "id": "", "name": "www.happiluv.com" }, { "id": "", "name": "www.haycoches.com" }, { "id": "", "name": "www.haftplicht.com" }, { "id": "", "name": "www.goog1evip15.com" }, { "id": "", "name": "www.greekhause.org" }, { "id": "", "name": "www.getmylinks.cc" }, { "id": "", "name": "www.fraternize.org" }, { "id": "", "name": "www.gattosat.icu" }, { "id": "", "name": "www.fastr.live" }, { "id": "", "name": "www.flusznwrldwide.com" }, { "id": "", "name": "www.federall.store" }, { "id": "", "name": "www.everycreation.shop" }, { "id": "", "name": "www.eslameldaramlly.site" }, { "id": "", "name": "www.energeticfranchise.top" }, { "id": "", "name": "www.electronicraw.com" }, { "id": "", "name": "www.electra-airways.info" }, { "id": "", "name": "www.efidence.com" }, { "id": "", "name": "www.eeja.uk" }, { "id": "", "name": "www.earn50k.com" }, { "id": "", "name": "www.easestore.shop" }, { "id": "", "name": "www.dutch-wildlife.shop" }, { "id": "", "name": "www.dumpstedoctorca.com" }, { "id": "", "name": "www.dto20.shop" }, { "id": "", "name": "www.dsisarl.com" }, { "id": "", "name": "www.dhkatp.vip" }, { "id": "", "name": "www.devocionmusic.com" }, { "id": "", "name": "www.d27dm.top" }, { "id": "", "name": "www.crochetpets.online" }, { "id": "", "name": "www.cuffbow.com" }, { "id": "", "name": "www.childlesscatlady.today" }, { "id": "", "name": "www.chalet-tofane.net" }, { "id": "", "name": "www.cgm-logistics.org" }, { "id": "", "name": "www.carpmaxxbait.online" }, { "id": "", "name": "www.brighterhomesdecor.com" }, { "id": "", "name": "www.bluegirls.blog" }, { "id": "", "name": "www.bismarckrecovery.com" }, { "id": "", "name": "www.bkexclusivecars.net" }, { "id": "", "name": "www.bayarcepat19.click" }, { "id": "", "name": "www.aspasskeoffice.homes" }, { "id": "", "name": "www.avolci.com" }, { "id": "", "name": "www.aromavida.net" }, { "id": "", "name": "www.arasymimbi.com" }, { "id": "", "name": "www.amitayush.digital" }, { "id": "", "name": "www.am8pw.us" }, { "id": "", "name": "www.allthingsjasmin.com" }, { "id": "", "name": "www.allsolar.xyz" }, { "id": "", "name": "www.alace5.com" }, { "id": "", "name": "www.aarunifoodcrafters.com" }, { "id": "", "name": "www.airbatchnow.online" }, { "id": "", "name": "www.aaavvejibej.bond" }, { "id": "", "name": "www.44ddw.top" }, { "id": "", "name": "www.030002304.xyz" }, { "id": "", "name": "http://www.zwetststuren.cfd/ir6g/" }, { "id": "", "name": "http://www.yu35n.top/kejj/" }, { "id": "", "name": "http://www.yourhomecopilot.online/gctn/" }, { "id": "", "name": "http://www.xfgqbh.site/ir6g/" }, { "id": "", "name": "http://www.womenscalshion.com/ir6g/" }, { "id": "", "name": "http://www.xediedie.icu/ir6g/" }, { "id": "", "name": "http://www.weberze.com/ir6g/" }, { "id": "", "name": "http://www.weatherbook.live/tfj4/" }, { "id": "", "name": "http://www.wdeb18.top/kv48/" }, { "id": "", "name": "http://www.wdcb30.top/s7v2/" }, { "id": "", "name": "http://www.vegastinyhomes.net/f2tm/" }, { "id": "", "name": "http://www.uxzl.site/ir6g/" }, { "id": "", "name": "http://www.useanecdotenow.tech/vera/" }, { "id": "", "name": "http://www.tupinkeept.cfd/ir6g/" }, { "id": "", "name": "http://www.trisixnine.net/0057/" }, { "id": "", "name": "http://www.trapkitten.website/y6hh/" }, { "id": "", "name": "http://www.tracy.club/rwcg/" }, { "id": "", "name": "http://www.torex33.online/pvct/" }, { "id": "", "name": "http://www.tk254kr6rwr7mjtru.com/ir6g/" }, { "id": "", "name": "http://www.theproselytizer.net/od1n/" }, { "id": "", "name": "http://www.tehranrizcomputer.com/ir6g/" }, { "id": "", "name": "http://www.solar-windturbine.life/ir6g/" }, { "id": "", "name": "http://www.softillery.info/cyhg/" }, { "id": "", "name": "http://www.serverplay.live/6b8s/" }, { "id": "", "name": "http://www.scwspark.com/ir6g/" }, { "id": "", "name": "http://www.sazekents.cfd/ir6g/" }, { "id": "", "name": "http://www.sathyfe.com/ir6g/" }, { "id": "", "name": "http://www.sansensors.info/ip84/" }, { "id": "", "name": "http://www.rtpngk.xyz/yd3l/" }, { "id": "", "name": "http://www.rtpgaruda888resmi.xyz/u8o7/" }, { "id": "", "name": "http://www.royalkredit.online/ir6g/" }, { "id": "", "name": "http://www.roundhaygardenscene.com/ir6g/" }, { "id": "", "name": "http://www.rockbull.pro/0tt2/" }, { "id": "", "name": "http://www.revelationfithub.com/ir6g/" }, { "id": "", "name": "http://www.resumeyourway.info/vn92/" }, { "id": "", "name": "http://www.queima.shop/mdoj/" }, { "id": "", "name": "http://www.promasterev.shop/zjp0/" }, { "id": "", "name": "http://www.projectimprov.com/ir6g/" }, { "id": "", "name": "http://www.portfutures.asia/ir6g/" }, { "id": "", "name": "http://www.polarmuseum.info/m8hf/" }, { "id": "", "name": "http://www.platinumkitchens.info/dquo/" }, { "id": "", "name": "http://www.pethut.shop/wrhe/" }, { "id": "", "name": "http://www.pinnaclebyte.info/ir6g/" }, { "id": "", "name": "http://www.pachuco.supply/7gdu/" }, { "id": "", "name": "http://www.ok2yu.us/ir6g/" }, { "id": "", "name": "http://www.ohio-adr.net/j0y4/" }, { "id": "", "name": "http://www.ntn.solar/fcmy/" }, { "id": "", "name": "http://www.nojamaica.net/g7eq/" }, { "id": "", "name": "http://www.ngmr.xyz/4muf/" }, { "id": "", "name": "http://www.myhosting.co.in/ir6g/" }, { "id": "", "name": "http://www.moncoop.coop/ir6g/" }, { "id": "", "name": "http://www.mscfoundation.info/ir6g/" }, { "id": "", "name": "http://www.meg21c.top/3jg0/" }, { "id": "", "name": "http://www.mc9uh8d70.site/ir6g/" }, { "id": "", "name": "http://www.mechecker.life/b6h1/" }, { "id": "", "name": "http://www.markthing.site/ir6g/" }, { "id": "", "name": "http://www.mag-flex.com/ir6g/" }, { "id": "", "name": "http://www.luismoreno.monster/06xo/" }, { "id": "", "name": "http://www.lriz.site/ir6g/" }, { "id": "", "name": "http://www.lollybowly.com/ir6g/" }, { "id": "", "name": "http://www.lojashelp.video/ao78/" }, { "id": "", "name": "http://www.livemarkat.live/8h0p/" }, { "id": "", "name": "http://www.limitlesssky.org/50p5/" }, { "id": "", "name": "http://www.lifedrawingbristol.co.uk/ir6g/" }, { "id": "", "name": "http://www.kx507981.shop/q3r9/" }, { "id": "", "name": "http://www.lenaguillemette.com/ir6g/" }, { "id": "", "name": "http://www.komart.shop/b2t1/" }, { "id": "", "name": "http://www.kavanzi.com/ir6g/" }, { "id": "", "name": "http://www.kabaribukota.press/nr90/" }, { "id": "", "name": "http://www.jarvisandbrown.com/ir6g/" }, { "id": "", "name": "http://www.jamesgadzikmd.com/ir6g/" }, { "id": "", "name": "http://www.iwin.exposed/ir6g/" } ], "malware": [ { "id": "legacy:malware:c2c5b6cea590f03b", "name": "Xloader", "slug": "xloader" }, { "id": "legacy:malware:a81818615b7705ec", "name": "Formbook", "slug": "formbook" } ], "intrusion_sets": [ { "id": "9ca2eb8c-8ede-48e7-a564-bc0d659aa855", "name": "Xloader", "slug": "xloader" } ], "attack_patterns": [ { "id": "91538b4d-2654-4431-ba1e-5c775151a7cb", "name": "T1574.008" }, { "id": "7dc1bc79-ccad-419e-b7c0-0f7fa8522270", "name": "T1055.012" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" } ] }, "external_refs": [ "https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-1", "https://otx.alienvault.com/pulse/679899f2238670ef37ccaff5" ] }