MalwareAnalysisSeries
This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules
Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham
Xloader4.3 AKA Formbook
XLoader, an advanced evolution of the FormBook malware, stands out as a highly sophisticated cyber threat renowned for its dual functionality as an information stealer and a versatile downloader for malicious payloads. Noteworthy for its resilient nature, xLoader constantly adapts to the latest and most intricate evasion techniques, making it a formidable challenge for cybersecurity defenses. Its notoriety is heightened by its role as a commercial Malware-as-a-service solution, enabling cybercriminals to tailor and deploy the malware for diverse malicious activities.
Xloader AKA Formbook Analysis PDF Report
GitHub Repo
- The original sample of xloader is provided along with its extracted Stage2 sample
- The password is “infected” for both archieves
- Full Analysis report is available in PDF format
- Extracted TTPs are available in “Extracted_TTPs” directory
- Script for checking hashes is available in “tools_and_scripts” directory
To match hashes, just save any hash value you find from sample in the hashes.txt file and it will be compared with source strings that are availble in hash_sources.json file. If a match is found, it will be printed out.
Xloder4.3 AKA Formbook InfoStealer TTPs
| TTP | Description | Code | Detection |
|---|---|---|---|
| Defense Evasion | Xloader4.3 uses ntdll unhooking technique called 'Lagos Island' to avoid detection by EDR solutions | Code | Rule/Query Coming Soon! |
| Xloader4.3 implements a highly advanced & unique obfuscation technique in which its code present in .text section of a binary is in encrypted format and decrypts at run-time | Code | Rule/Query Coming Soon! | |
| TTPs | More coming soon... | Code coming soon... | Rule\Query coming soon... |
Disclaimer
The artifacts and code of this repository are intended for educational purposes only!