{"id":4442,"date":"2023-02-28T08:37:14","date_gmt":"2023-02-28T08:37:14","guid":{"rendered":"\/cybersecurity-blog\/?p=4442"},"modified":"2023-07-28T08:29:12","modified_gmt":"2023-07-28T08:29:12","slug":"xloader-formbook-encryption-analysis-and-malware-decryption","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/","title":{"rendered":"XLoader\/FormBook: Encryption Analysis and Malware Decryption\u00a0"},"content":{"rendered":"\n<p>Today <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xloader&amp;utm_content=landing\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>\u2019s malware analysts are happy to discuss the encryption algorithms of XLoader, also known as <a href=\"https:\/\/any.run\/malware-trends\/formbook?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xloader&amp;utm_content=mtt\" target=\"_blank\" rel=\"noreferrer noopener\">FormBook<\/a>. And together we\u2019ll decrypt the stealer\u2019s strings and C2 servers.&nbsp;<\/p>\n\n\n\n<p>Xloader is a stealer, the successor of FormBook. However, apart from the basic functionality, the unusual approaches to encryption and obfuscation of internal structures, code, and strings used in XLoader are also of interest. Let\u2019s take a detailed look at the encryption of strings, functions, and C2 decoys.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Encryption in XLoader<\/h2>\n\n\n\n<p>First, we should research 3 main cryptographic algorithms used in XLoader. These are the modified algorithms: RC4, SHA1, and Xloader&#8217;s own algorithm based on a virtual machine.\u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze Xloader <span class=\"highlight\">fast and easy<\/span>. Try ANY.RUN sandbox.  &nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\" rel=\"noopener\" target=\"_blank\">\nGet started with a free account\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">The modified RC4 algorithm&nbsp;<\/h3>\n\n\n\n<p>The modified RC4 algorithm is a usual RC4 with additional layers of sequential subtraction before and after the RC4 call. In the code one layer of subtractions looks like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&nbsp; # transform 1\n&nbsp; &nbsp; &nbsp; for i in range(len(encbuf) - 1, 0, -1):\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; encbuf&#91;i-1] -= encbuf&#91;i]\n\n&nbsp; &nbsp; &nbsp; # transform 2\n&nbsp; &nbsp; &nbsp; for i in range(0, len(encbuf) -1):\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; encbuf&#91;i] -= encbuf&#91;i+1]<\/code><\/pre>\n\n\n\n<p>The ciphertext bytes are subtracted from each other in sequence from right to left. And then they go from left to right. In the XLoader code, it looks like this:<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/wenB4_2fDi0w0piB6QoLAlnE426wiqzkNfm-BJuiDQGEzigJ9-1ZfxLFZXTKABSu3Eg7Pi1pAVjWHNiSTBjoc2IUR2mOKV6PhsodkfQfTs0cZ9UUhCHnBy5-G6aKuOrpjnGpNGpOq8pEoyRCYLIoAA\" alt=\"Function performing RC4 encryption\" width=\"800\" height=\"1033\"\/><figcaption class=\"wp-element-caption\">Function performing RC4 encryption<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">The modified SHA1 algorithm&nbsp;<\/h3>\n\n\n\n<p>The SHA1 modification is a regular SHA1, but every 4 bytes are inverted:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def reversed_dword_sha1(self, dat2hash):\n&nbsp; &nbsp; &nbsp; sha1Inst = SHA1.new()\n&nbsp; &nbsp; &nbsp; sha1Inst.update(dat2hash)\n&nbsp; &nbsp; &nbsp; hashed_data = sha1Inst.digest()\n&nbsp; &nbsp; &nbsp; result = b\"\"\n&nbsp; &nbsp; &nbsp; for i in range(5):\n&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; result += hashed_data&#91;4*i:4*i+4]&#91;::-1]\n&nbsp; &nbsp; &nbsp; return result<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Xloader&#8217;s own virtual machine algorithm&nbsp;<\/h3>\n\n\n\n<p>The last algorithm is a virtual machine that generates one to four bytes of plaintext, depending on the current byte of the ciphertext. Usually, this algorithm is used as an additional encryption layer, which will be discussed later. The entry of the VM decryption routine looks like this:<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/gYBvnX_0yM5J8_UjszBtGR-jRGVnlt1eNjyWOXdUcjhNVLHHejC3HRGATYW68QOvZJw4BCsi9xFwlkrpSBm8MPs69zLPdWoFaDjXqWvfjCqskVfuTUk9xeJpnKfkfU-kkOxsnMwaY8EUmXK2wWzABxk\" alt=\"An example of transformations in a virtual machine\u2019s decryption routine\" width=\"819\" height=\"698\"\/><figcaption class=\"wp-element-caption\">An example of transformations in a virtual machine\u2019s decryption routine<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Decrypting XLoader Strings<\/h2>\n\n\n\n<p>Next, let&#8217;s investigate how string encryption works in XLoader. All byte arrays containing encrypted strings or key information are \u200b\u200blocated in special kinds of blobs.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/KIb4iuxzymn0cTCc5jPj0CUZ-roo6W_udgWuY-Sq1N7kTb5AlPPeYfbv5_QzwJcSbRTrJywUPO3Ov6CIIbAjFu52qama906behnnsWHRyjckSxe0dOYKDoRqUp_-evT_uJDvPCE-OxFMnMCKXst4Sus\" alt=\"An example of a blob with encrypted data\"\/><figcaption class=\"wp-element-caption\">An example of a blob with encrypted data<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>As you can see in the screenshot above, this blob is a function that returns a pointer to itself, below this function are the bytes you are looking for.<\/p>\n\n\n\n<p>In order to decrypt strings, first a key is generated. The key is generated from 3 parts, to which the above-described functions are applied.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/82ZM5raYydYt82T4BGAP8nZV8UKk7_8Bb-Qousj5aWq_OaANCnVEbLebtpl-12r2F52GJ3sePfwnGQOHuuz7W77JABM3RiXC80maiEJUw4XPXiNOcSmfKjmVr8U3PtXRstcohCY64jWfqR0wGh-Uf8M\" alt=\"Key generation function to decrypt strings\" width=\"774\" height=\"813\"\/><figcaption class=\"wp-element-caption\">Key generation function to decrypt strings<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Here K1_blob, K2_blob, and K3_blob are functions that return data from the blocks described above, and the string length is an argument for them.&nbsp;<\/p>\n\n\n\n<p>The functions VM_Decrypt, RC4_with_sub_Layer and sha1_* are modified algorithms that we discussed earlier.<\/p>\n\n\n\n<p>Schematically, the key generation algorithm can be represented by the following diagram.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"793\" height=\"713\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/scheme_1-2.png\" alt=\"\" class=\"wp-image-4476\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/scheme_1-2.png 793w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/scheme_1-2-300x270.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/scheme_1-2-768x691.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/scheme_1-2-370x333.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/scheme_1-2-270x243.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/scheme_1-2-335x300.png 335w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/scheme_1-2-740x665.png 740w\" sizes=\"(max-width: 793px) 100vw, 793px\" \/><figcaption class=\"wp-element-caption\">Scheme of key generation to decrypt strings<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Here <strong>E<\/strong> and <strong>K<\/strong> are the data and the key that is fed to the input of the RC4 function, respectively, and <strong>K1, K2,<\/strong> and <strong>K3<\/strong> are the data obtained from the K1_blob, K2_blob, and K3_blob functions.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The strings themselves are also stored as a blob and are covered by two layers of encryption:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VM_decrypt<\/li>\n\n\n\n<li>RC4 that uses the key obtained above.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>At the same time, RC4 is not used for the whole blob at once.<\/p>\n\n\n\n<p>After removing the first layer, the encrypted strings themselves are stored in the format:<\/p>\n\n\n\n<p><strong>encrypted string length &#8211; encrypted string<\/strong><\/p>\n\n\n\n<p>Consequently, to decrypt the strings, we need to loop through this structure and consistently decrypt all the strings.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/7-1.png\" alt=\"Function for decrypting strings\" class=\"wp-image-4444\" width=\"788\" height=\"659\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/7-1.png 574w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/7-1-300x251.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/7-1-370x309.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/7-1-270x226.png 270w\" sizes=\"(max-width: 788px) 100vw, 788px\" \/><figcaption class=\"wp-element-caption\">Function for decrypting strings<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Below is an example of the encrypted data after stripping the first layer. Length\/string pairs for the first 3 encrypted strings are highlighted in red.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image-30.png\" alt=\"The first 3 encrypted strings\" class=\"wp-image-4445\" width=\"781\" height=\"105\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image-30.png 634w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image-30-300x40.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image-30-370x50.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image-30-270x36.png 270w\" sizes=\"(max-width: 781px) 100vw, 781px\" \/><figcaption class=\"wp-element-caption\">The first 3 encrypted strings<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The same strings after decryption:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/5V96uL8OjsyBrJ-GNUIftBt8xk8TZm7FLOVrmdIOis1yWji2LR8IHt8bswrYfcqzxXAfUpVlrWVYWr2LDsmvPJDztUpGsEci8IxrBBCvB0V6UdFK_y6TQNqbCPR6xIYqv50OLyyH8qEhGo2JOqPClmg\" alt=\"The first 3 lines after decoding\"\/><figcaption class=\"wp-element-caption\">The first 3 lines after decoding<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Along with the encrypted strings, C2 decoys are also stored there. They are always located at the end of all decrypted strings, beginning and ending with the f-start and f-end strings.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Decrypting XLoader&#8217;s C2 Servers<\/h2>\n\n\n\n<p>Next, let&#8217;s see how the main C2 encryption works. The main C2 is located elsewhere in the code, so you can get it separately from the C2 decoys.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/9zKV8JXtG76mnFirkw6CxPZUlblXaj2vrvGM9E_H0HwQDASDBFJdd_It6eh9tm3lUiCvNVT5Y6J8o49lrHZyuPlT0BMmXcqxazzO8ZhvrTCvim5G5W8XgBCshluFCYDOJm-lqppz6Ce_y_CAt7qB0iI\" alt=\"Code snippet demonstrating C2 decryption.\"\/><figcaption class=\"wp-element-caption\">Code snippet demonstrating C2 decryption.<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>To decrypt it, as well as to decrypt the strings, 3 keys are used. The C2 decryption scheme is shown below:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EC2<\/strong> is the encrypted C2<\/li>\n\n\n\n<li><strong>DC2<\/strong> is the decrypted C2<\/li>\n<\/ul>\n\n\n\n<p>The algorithm itself is a 3 times sequential application of the RC4 algorithm with 3 different keys.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/schme_2-1-1-1024x468.png\" alt=\"C2 decoys\u2019 decryption scheme\" class=\"wp-image-4465\" width=\"803\" height=\"367\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/schme_2-1-1-1024x468.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/schme_2-1-1-300x137.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/schme_2-1-1-768x351.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/schme_2-1-1-370x169.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/schme_2-1-1-270x123.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/schme_2-1-1-740x338.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/schme_2-1-1.png 1280w\" sizes=\"(max-width: 803px) 100vw, 803px\" \/><figcaption class=\"wp-element-caption\">C2 decoys\u2019 decryption scheme<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Also, in newer versions of XLoader C2 decoys, which usually lie along with all the other strings, turn out to be covered by an additional layer of encryption, and, at first glance, it is completely unclear where exactly the decryption of these strings occurs.&nbsp;<\/p>\n\n\n\n<p>Since XLoader has several entry points, each responsible for different non-intersecting functionality, with many functions turning out to be encrypted.<\/p>\n\n\n\n<p>The C2 decoys are decrypted inside the XLoader injected into Explorer.exe. And in this case, it is passed to netsh.exe, which also contains XLoader via APC injection.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/iDGK934lP2F4ryZqeT5geRhCtBdLmQXr8WEX3wfLAtDhRESWgwzTtXuV2aZLcx0c4LXnHiUyEuJYfz7Xos7nen7t2Elfz6wp4ZX8DvThw6WSvqDlQK5JgOpCxVHGdPqYYMQBiEKs9elOuxTTaSq-mA\" alt=\"The C2 life cycle in different XLoader modules\"\/><figcaption class=\"wp-element-caption\">The C2 life cycle in different XLoader modules<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In order to understand how a C2 decoy is encrypted, first of all, you need to understand how the functions are encrypted.&nbsp;<\/p>\n\n\n\n<p>It\u2019s actually quite simple. RC4 is used as the encryption algorithm. This time, the key is hardcoded and written right in the code and then xored with the 4-byte gamma.<\/p>\n\n\n\n<p>After that, you should find pointers to the start and end of the function. This is how you do it:&nbsp; a unique 4-byte value is placed at the beginning and end of each encrypted function. The XLoader looks for these values and gets the desired pointers.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/S4DLwmjRxubbg7rb6DpSTSqh0EAmUejZTuYF49XRKNROvFxhAkSexiGEpnjyzcOcIV0LjIig2bF9cgBFIKwnmd1O8xyDQuF6LiCP8njBsKEJ63EUnh-OcNIHolL7nZy02xF1LpUkAhOF1n12Qc9xgg\" alt=\"Code snippet demonstrating the decryption of the function\" width=\"769\" height=\"558\"\/><figcaption class=\"wp-element-caption\">Code snippet demonstrating the decryption of the function<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Then the function is decrypted, control is given to it, and it similarly searches for and decrypts the next function. This happens until the function with the main functionality is decrypted and executed. So, functions should be decrypted recursively.<\/p>\n\n\n\n<p>The key to decrypting C2 decoys consists of 2 parts and is collected separately at two different exit points. One exit point gets the 20-byte protected key, and the second gets the 4-byte gamma to decrypt the key.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Example of extracted XLoader malware configuration<\/h2>\n\n\n\n<p>Applying the above algorithms we can extract the configuration from Xloader, including C2, C2 decoys,&nbsp; and strings. For your convenience, we have integrated automatic extraction of the Xloader configuration into <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xloader&amp;utm_content=landing\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN interactive sandbox <\/a>\u2014 just run the sample and get all the IOCs in seconds.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/-PCKJiZeWt3k6HQjaTd5RN80a-DW1y4LpoTsLKfW8QKHW1mzBUGsuIkzVOOkur06xUXkDTCCCHu-W1xY-HGMBMQs8PSpqFliX7MtT4AMtYm13M0YSM6pumrrIH1GnDBA_lhzyfqGYbDz8mVuzSEeDhI\" alt=\"Extracted malware configuration in ANY.RUN\"\/><figcaption class=\"wp-element-caption\">Extracted malware configuration in ANY.RUN<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"980\" height=\"660\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image12-1.png\" alt=\"Extracted malware configuration in ANY.RUN\" class=\"wp-image-4452\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image12-1.png 980w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image12-1-300x202.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image12-1-768x517.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image12-1-370x249.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image12-1-270x182.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/02\/image12-1-740x498.png 740w\" sizes=\"(max-width: 980px) 100vw, 980px\" \/><figcaption class=\"wp-element-caption\">Extracted malware configuration in ANY.RUN<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Examples of successfully executed samples:<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/f6d29aa7-4054-44b6-b4cc-61684742da88\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xloader&amp;utm_content=task1\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/f6d29aa7-4054-44b6-b4cc-61684742da88\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/aa804b50-2c11-447e-a5a9-709b83634aa0\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xloader&amp;utm_content=task2\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/aa804b50-2c11-447e-a5a9-709b83634aa0\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/8bcca55f-99ae-4b8d-b60e-226562068d9a\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=xloader&amp;utm_content=task3\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/8bcca55f-99ae-4b8d-b60e-226562068d9a\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Sum it up<\/h2>\n\n\n\n<p>In this article, we discussed the encryption in xLoader stealer. It is based on both add-ons to existing algorithms and self-written algorithms.<\/p>\n\n\n\n<p>The main tricky part of the decryption process is the key generation and the fact that the XLoader functionality is split into modules that can be run in different processes. Because of this, in order to extract strings, we have to decrypt the executable code, among other things.<\/p>\n\n\n\n<p>Fortunately, ANY.RUN is already set up to detect this malware automatically, making the relevant configuration details just a click away.<\/p>\n\n\n\n<p>If you want to read more content like this, check out our analysis of the <a href=\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Raccoon Stealer<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/cryptbot-infostealer-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">CryptBot<\/a>, or <a href=\"https:\/\/any.run\/cybersecurity-blog\/orcus-rat-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Orcus RAT<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix<\/h2>\n\n\n\n<p><strong>Analyzed files<\/strong><\/p>\n\n\n\n<p>Sample with new C2 decoys encryption<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Title<\/td><td class=\"has-text-align-left\" data-align=\"left\">Description<\/td><\/tr><tr><td>Name<\/td><td class=\"has-text-align-left\" data-align=\"left\">MT10320221808-004. pdf.exe<\/td><\/tr><tr><td>MD5<\/td><td class=\"has-text-align-left\" data-align=\"left\">b7127b3281dbd5f1ae76ea500db1ce6a<\/td><\/tr><tr><td>SHA1<\/td><td class=\"has-text-align-left\" data-align=\"left\">6e7b8bdc554fe91eac7eef5b299158e6b2287c40<\/td><\/tr><tr><td>SHA256<\/td><td class=\"has-text-align-left\" data-align=\"left\">726fd095c55cdab5860f8252050ebd2f3c3d8eace480f8422e52b3d4773b0d1c<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Sample without C2 decoys encryption<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Title<\/td><td>Description<\/td><\/tr><tr><td>Name<\/td><td>Transfer slip.exe<\/td><\/tr><tr><td>MD5<\/td><td>1b5393505847dcd181ebbc23def363ca<\/td><\/tr><tr><td>SHA1<\/td><td>830edb007222442aa5c0883b5a2368f8da32acd1<\/td><\/tr><tr><td>SHA256<\/td><td>27b2b539c061e496c1baa6ff071e6ce1042ae4d77d398fd954ae1a62f9ad3885<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Today ANY.RUN\u2019s malware analysts are happy to discuss the encryption algorithms of XLoader, also known as FormBook. And together we\u2019ll decrypt the stealer\u2019s strings and C2 servers.&nbsp; Xloader is a stealer, the successor of FormBook. However, apart from the basic functionality, the unusual approaches to encryption and obfuscation of internal structures, code, and strings used [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":4455,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[34],"class_list":["post-4442","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>XLoader aka FormBook Encryption Analysis, Malware Decryption<\/title>\n<meta name=\"description\" content=\"ANYRUN\u2019s malware analysts share the encryption algorithms of XLoader, also known as FormBook. We\u2019ll decrypt stealer\u2019s strings and C2 servers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"XLoader\/FormBook: Encryption Analysis and Malware Decryption\u00a0\",\"datePublished\":\"2023-02-28T08:37:14+00:00\",\"dateModified\":\"2023-07-28T08:29:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/\"},\"wordCount\":1345,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/\",\"name\":\"XLoader aka FormBook Encryption Analysis, Malware Decryption\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-02-28T08:37:14+00:00\",\"dateModified\":\"2023-07-28T08:29:12+00:00\",\"description\":\"ANYRUN\u2019s malware analysts share the encryption algorithms of XLoader, also known as FormBook. We\u2019ll decrypt stealer\u2019s strings and C2 servers.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"XLoader\/FormBook: Encryption Analysis and Malware Decryption\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"XLoader aka FormBook Encryption Analysis, Malware Decryption","description":"ANYRUN\u2019s malware analysts share the encryption algorithms of XLoader, also known as FormBook. We\u2019ll decrypt stealer\u2019s strings and C2 servers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"XLoader\/FormBook: Encryption Analysis and Malware Decryption\u00a0","datePublished":"2023-02-28T08:37:14+00:00","dateModified":"2023-07-28T08:29:12+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/"},"wordCount":1345,"commentCount":1,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/","url":"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/","name":"XLoader aka FormBook Encryption Analysis, Malware Decryption","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-02-28T08:37:14+00:00","dateModified":"2023-07-28T08:29:12+00:00","description":"ANYRUN\u2019s malware analysts share the encryption algorithms of XLoader, also known as FormBook. We\u2019ll decrypt stealer\u2019s strings and C2 servers.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/xloader-formbook-encryption-analysis-and-malware-decryption\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"XLoader\/FormBook: Encryption Analysis and Malware Decryption\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4442"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=4442"}],"version-history":[{"count":26,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4442\/revisions"}],"predecessor-version":[{"id":5521,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/4442\/revisions\/5521"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/4455"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=4442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=4442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=4442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}