Uncovering .NET Malware Obfuscated by Encryption and Virtualization

March 3, 2025, 5:59 p.m.

Description

This article examines advanced obfuscation techniques used in popular malware families like Agent Tesla, XWorm, and FormBook/XLoader. The techniques include code virtualization, staged payload delivery, dynamic code loading, AES encryption, and multi-stage payloads. The malware uses a three-stage process: an encrypted payload in the PE overlay, a virtualized payload using KoiVM, and a final payload that is typically Agent Tesla or XWorm. The obfuscation methods aim to evade sandbox detection and hinder static analysis. The article provides insights into extracting configuration parameters through unpacking each stage and discusses potential automation opportunities for sandboxes performing static analysis.

External References

https://unit42.paloaltonetworks.com/wp-content/uploads/2025/02/06_Malware_Category_1920x900.jpg
https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/
https://otx.alienvault.com/pulse/67c5deb911aab45bdf301787
Tags
obfuscation
xworm
encryption
.net
formbook
agent tesla
sandbox evasion
xloader
2025-03-03
virtualization
static analysis

Date

  • Created: March 3, 2025, 4:54 p.m.
  • Published: March 3, 2025, 4:54 p.m.
  • Modified: March 3, 2025, 5:59 p.m.

Indicators

  • d72f4ef2e5caea42749d542384b6634e65e29f3aef5d09a9c231cc09e76e4988
  • a02bdd3db4dfede3d6d8db554a266bf9f87f4fa55ee6cde5cbe1ed77c514cdee
  • 695e038452a656d58471f284edb8d81754b78258a6afd3d8f62ae8a47c3130d9
  • 3d8187853d481c74408d56759f427e2c3446e9310c2d109fd38a0f200696c32d
  • 098a18e96c4fb250ffadb3f01d601240c74a4d9f5df94cb72bd44cc81b80b2af
  • 66.63.168.133
  • http://weidmachane.zapto.org:7000
  • http://mail.iaa-airferight.com:25
  • weidmachane.zapto.org
  • iaa-airferight.com
  • mail.iaa-airferight.com
Download all indicators here!

Attack Patterns

  • Agent Tesla - S0331
  • XLoader
  • XWorm
  • FormBook