Malware-Traffic-Analysis.net - 2025-01-30: XLoader (Formbook) infection

2025-01-30 (THURSDAY): XLOADER INFECTION

NOTES:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2025-01-30-IOCs-for-XLoader-infection.txt.zip 2.2 kB (2,210 bytes)
2025-01-30-XLoader-infection-traffic.pcap.zip 10.3 MB (10,336,256 bytes)
2025-01-30-email-and-malware-files-from-XLoader-infection.zip 2.3 MB (2,270,797 bytes)

2025-01-30 (THURSDAY): XLOADER INFECTION

NOTES:

- Unlike my previous XLoader infections, this one didn't run in my VM, so I used a physical host.
- As a reminder, XLoader is a successor to Formbook.  For more info on recent XLoader versions, see:
  -- https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-1

INFECTION CHAIN:

- email --> attached RAR archive --> extracted EXE --> double-click EXE --> XLoader infection

SOME OF THE EMAIL HEADERS:

- Received: from saffronshipping[.]com (unknown [141.98.10[.]165])
  by [information removed]; Thu, 30 Jan 2025 00:52:29 +0200
- From: Brij Mohan Vashist 
- Subject: RE;ADVANCE TT SLIP // December/January SOA PAYMENT
- Date: 29 Jan 2025 23:52:28 +0100
- Message-ID: <20250129235227.C6DE692DEC0F599B@saffronshipping[.]com>
- Attachment filename: Payment Slip.rar

EMAIL ATTACHMENT AND EXTRACTED EXE FOR XLOADER:

- SHA256 hash: 71d8df9815f8a2265aa518faec2f74d0345729b093f1d71eb6dece997ec93243
- File size: 746,393 bytes
- File name: Payment Slip.rar
- File type: RAR archive data, v5

- SHA256 hash: 5f6c801582b16d51d8a5c79a64aa18291cd494a52ce92a158ff90c6f6f41fee8
- File size: 870,400 bytes
- File name: Payment Slip.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Persistent file location: C:\Program Files (x86)\Opera\H1zxxm.exe

47 DOMAINS USED FOR THE POST-INFECTION TRAFFIC:

- www.031234990[.]xyz
- www.031235246[.]xyz
- www.11252flend[.]makeup
- www.67051[.]app
- www.antobloom[.]xyz
- www.arryongro-nambe[.]live
- www.autonomousrich[.]xyz
- www.avisos-bbva[.]info
- www.besttreasurespot[.]shop
- www.bitcoinescort[.]xyz
- www.bjogo[.]top
- www.bydotoparca[.]net
- www.car-select[.]online
- www.clouser[.]store
- www.corellia[.]pro
- www.covsds[.]info
- www.coxswain[.]art
- www.dangky88kfree[.]online
- www.devnorms[.]xyz
- www.dogebonus[.]xyz
- www.exhelp[.]xyz
- www.ezjytrkuqlw[.]info
- www.fjlgyc[.]info
- www.fz977[.]xyz
- www.hotethereum[.]xyz
- www.jili999[.]net
- www.l51127[.]xyz
- www.laohuc58[.]net
- www.maplez[.]online
- www.micusa[.]xyz
- www.mujde[.]info
- www.physicsbrain[.]xyz
- www.prepaidbitcoin[.]xyz
- www.rtphajar4d[.]art
- www.satoshichecker[.]xyz
- www.serenityos[.]dev
- www.sigaque[.]today
- www.spadessyndicate[.]net
- www.sscexampyq[.]watches
- www.tabs123[.]xyz
- www.theweb[.]services
- www.tokosayur[.]shop
- www.topked[.]top
- www.travel-cure[.]sbs
- www.trustai[.]chat
- www.uarsg[.]xyz
- www.woca[.]group

IMAGES

Shown above: Email distributing XLoader malware.

Shown above: Traffic from an infection filtered in Wireshark.

Shown above: XLoader persistent on the infected Windows host.

Click here to return to the main page.