{ "Event": { "analysis": "1", "date": "2026-03-31", "extends_uuid": "", "info": "[Threat Intel] Latest Xloader Obfuscation Methods and Network Protocol", "protected": false, "publish_timestamp": "1775970091", "published": true, "threat_level_id": "3", "timestamp": "1775970091", "uuid": "50f59df1-0c1e-4870-adc6-5348658ec9f9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6dbaba", "local": false, "name": "misp-galaxy:producer=\"Zscaler\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Xloader\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775098814", "to_ids": false, "type": "link", "uuid": "79b0652a-5ff3-4523-b7dd-aee59c83fead", "value": "https://www.zscaler.com/blogs/security-research/latest-xloader-obfuscation-methods-and-network-protocol" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775098814", "to_ids": false, "type": "text", "uuid": "78f18c8b-eeb6-40a3-8ad9-fac47d94d4fb", "value": "Xloader is an information stealing malware family that evolved from Formbook and targets web browsers, email clients, and File Transfer Protocol (FTP) applications. Additionally, Xloader may execute arbitrary commands and download second-stage payloads on an infected system. The author of Xloader continues to update the codebase, with the most recent observed version being 8.7. Since version 8.1, the Xloader developer applied several changes to the code obfuscation. The purpose of this blog is to describe the latest obfuscation methods and provide an in-depth analysis of the network communication protocol. We highly recommend reading our previous blogs about Xloader in order to get a better understanding of the malware\u2019s internals." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775098814", "to_ids": false, "type": "text", "uuid": "7098ce13-3238-46e9-800f-486ad01bbb4e", "value": "Name: Latest Xloader Obfuscation Methods and Network Protocol\nAuthor: AlienVault\nAdversary: \nTags: [\"FTP\", \"Xloader\", \"WinINet API\", \"InfoStealer\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1027\", \"T1140\", \"T1573.001\"]\nIndustries: []" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965656", "uuid": "7fd038d9-5fb8-4a91-84ab-b52853b7329b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965656", "to_ids": true, "type": "md5", "uuid": "e9906678-ca84-4744-b61c-bb381981647b", "value": "01128688126c361fc9ff77c07170f952", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964153", "to_ids": true, "type": "sha1", "uuid": "f2c71246-1296-4b22-8106-3ca70a571ab1", "value": "b824a92f5be8c88bdafbb974cc42d2d35d5447f9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964153", "to_ids": true, "type": "sha256", "uuid": "f36a8ed8-ba18-4f3e-ba2e-8b7b8d38b472", "value": "59db173fbff74cdab24995a0d3669dabf6b09f7332a0128d4faa68ae2526d39a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963425", "to_ids": true, "type": "ssdeep", "uuid": "5b278b6a-8031-4657-b89e-11842a701c93", "value": "6144:LzDb9Qi3uO5hjk3F1Xly5XJsBolZX+EoQNzC+HkuQSyu1JhhqHfbg8FbqKhc:twO/jk3vDErNzmSy+cfvvhc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963425", "to_ids": false, "type": "size-in-bytes", "uuid": "89691789-8261-4351-bdff-6b497e394b34", "value": "495582" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963425", "to_ids": true, "type": "vhash", "uuid": "199a9c03-fe2f-451e-8f59-c0dcfdb08739", "value": "045086655d155d0515155az4d!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963425", "to_ids": true, "type": "filename", "uuid": "0cc7e02a-42ba-4572-912c-1571199bfc37", "value": "INVOICE_SOA-JAN2026.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963425", "to_ids": false, "type": "text", "uuid": "716fe8c3-febb-4c2c-bce0-41985d00aa33", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/FormBook.GXH!MTB\nVT Total Detection:53/72\nFirst Submission:2026-02-26T09:53:38.000000+00:00\nLast Submission:2026-02-28T14:38:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965677", "uuid": "85cc24e3-ba00-4053-920b-18f3b85776a2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965677", "to_ids": true, "type": "md5", "uuid": "9704ee71-6919-4707-bae7-b2fcec7ea396", "value": "41c53577d2f4bfa75af06d6c60e9c9f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964155", "to_ids": true, "type": "sha1", "uuid": "4cd60e20-f280-47dc-ab9f-48a86d0b181d", "value": "fae4ba1974b3ef76d82de9183a63d085ad769d2b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964155", "to_ids": true, "type": "sha256", "uuid": "93294699-2afa-409d-9431-cd1a4e18f984", "value": "316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963446", "to_ids": true, "type": "ssdeep", "uuid": "8b527cbd-32be-4b91-9a4b-e576e3c28a97", "value": "24576:oych15rXDMJMVqoB9MVa0eWMqMRnskG4oR1LE:o/vDMJTobaaJWMNskG9rE" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963446", "to_ids": false, "type": "size-in-bytes", "uuid": "0e4a9797-36f6-43cb-9f94-bc42cf0a174e", "value": "1161728" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963446", "to_ids": true, "type": "vhash", "uuid": "b14e9482-7cc1-4ade-92f2-5e83dfa6098b", "value": "2160367515136082a3711c162f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963446", "to_ids": true, "type": "filename", "uuid": "b335c359-e2c0-4eb4-8e01-4282b98b5cf3", "value": "qIcQ.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963446", "to_ids": false, "type": "text", "uuid": "1c576b21-171c-423d-89b0-7c5139895c85", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/AgentTesla.ABG!MTB\nVT Total Detection:56/72\nFirst Submission:2026-03-19T06:47:33.000000+00:00\nLast Submission:2026-03-19T08:59:11.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965698", "uuid": "5f8d46d7-1cfb-4fc0-b527-3b9f14e5aa7d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965698", "to_ids": true, "type": "md5", "uuid": "0d214a8e-8947-404c-9f06-3c97a7ce52ee", "value": "72c11e2df012ec603aee9ba7a0504bf1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964155", "to_ids": true, "type": "sha1", "uuid": "631e625a-4a79-47d3-99ab-de1744ce6573", "value": "a0c676a00c5a69dc349c8e14c7890db4eb5a3377", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964155", "to_ids": true, "type": "sha256", "uuid": "543da56d-cb9a-434b-b131-d54ea0cb9328", "value": "6b15d702539c47fd54a63bda4d309e06d3c0b92d150f61c0b8b65eae787680be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963468", "to_ids": true, "type": "ssdeep", "uuid": "ab6b7fa6-1295-4631-8f92-f8adc3ffdc75", "value": "24576:UW4ZZ5vPvRRB/NmZ5DQWP+fgGtu7qNkrvHGGjQ1zMiI5aO:94ZZ5nZR9NmZdP+fgb7qNm+GjygTU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963468", "to_ids": false, "type": "size-in-bytes", "uuid": "592fd282-10f9-4faf-b886-0a610ec57565", "value": "1150976" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963468", "to_ids": true, "type": "vhash", "uuid": "270cde65-76bf-49b3-bf57-986accf73996", "value": "21603675751870924f4850313" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963468", "to_ids": true, "type": "filename", "uuid": "d1b49e5c-9d7b-4816-a7fa-f8c07e9f8798", "value": "ssR.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 08/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963468", "to_ids": false, "type": "text", "uuid": "0f1500c1-49b1-4105-b72f-a9ce1eb56cc7", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/FormBook.RVZ!MTB\nVT Total Detection:53/71\nFirst Submission:2026-02-26T07:05:05.000000+00:00\nLast Submission:2026-02-26T14:12:08.000000+00:00" } ] } ] } }