2025-01-30 (THURSDAY): XLOADER INFECTION
NOTES:
- Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
ASSOCIATED FILES:
- 2025-01-30-IOCs-for-XLoader-infection.txt.zip 2.2 kB (2,210 bytes)
- 2025-01-30-XLoader-infection-traffic.pcap.zip 10.3 MB (10,336,256 bytes)
- 2025-01-30-email-and-malware-files-from-XLoader-infection.zip 2.3 MB (2,270,797 bytes)
2025-01-30 (THURSDAY): XLOADER INFECTION NOTES: - Unlike my previous XLoader infections, this one didn't run in my VM, so I used a physical host. - As a reminder, XLoader is a successor to Formbook. For more info on recent XLoader versions, see: -- https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-1 INFECTION CHAIN: - email --> attached RAR archive --> extracted EXE --> double-click EXE --> XLoader infection SOME OF THE EMAIL HEADERS: - Received: from saffronshipping[.]com (unknown [141.98.10[.]165]) by [information removed]; Thu, 30 Jan 2025 00:52:29 +0200 - From: Brij Mohan Vashist- Subject: RE;ADVANCE TT SLIP // December/January SOA PAYMENT - Date: 29 Jan 2025 23:52:28 +0100 - Message-ID: <20250129235227.C6DE692DEC0F599B@saffronshipping[.]com> - Attachment filename: Payment Slip.rar EMAIL ATTACHMENT AND EXTRACTED EXE FOR XLOADER: - SHA256 hash: 71d8df9815f8a2265aa518faec2f74d0345729b093f1d71eb6dece997ec93243 - File size: 746,393 bytes - File name: Payment Slip.rar - File type: RAR archive data, v5 - SHA256 hash: 5f6c801582b16d51d8a5c79a64aa18291cd494a52ce92a158ff90c6f6f41fee8 - File size: 870,400 bytes - File name: Payment Slip.exe - File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows - Persistent file location: C:\Program Files (x86)\Opera\H1zxxm.exe 47 DOMAINS USED FOR THE POST-INFECTION TRAFFIC: - www.031234990[.]xyz - www.031235246[.]xyz - www.11252flend[.]makeup - www.67051[.]app - www.antobloom[.]xyz - www.arryongro-nambe[.]live - www.autonomousrich[.]xyz - www.avisos-bbva[.]info - www.besttreasurespot[.]shop - www.bitcoinescort[.]xyz - www.bjogo[.]top - www.bydotoparca[.]net - www.car-select[.]online - www.clouser[.]store - www.corellia[.]pro - www.covsds[.]info - www.coxswain[.]art - www.dangky88kfree[.]online - www.devnorms[.]xyz - www.dogebonus[.]xyz - www.exhelp[.]xyz - www.ezjytrkuqlw[.]info - www.fjlgyc[.]info - www.fz977[.]xyz - www.hotethereum[.]xyz - www.jili999[.]net - www.l51127[.]xyz - www.laohuc58[.]net - www.maplez[.]online - www.micusa[.]xyz - www.mujde[.]info - www.physicsbrain[.]xyz - www.prepaidbitcoin[.]xyz - www.rtphajar4d[.]art - www.satoshichecker[.]xyz - www.serenityos[.]dev - www.sigaque[.]today - www.spadessyndicate[.]net - www.sscexampyq[.]watches - www.tabs123[.]xyz - www.theweb[.]services - www.tokosayur[.]shop - www.topked[.]top - www.travel-cure[.]sbs - www.trustai[.]chat - www.uarsg[.]xyz - www.woca[.]group 
IMAGES

Shown above:  Email distributing XLoader malware.

Shown above:  Traffic from an infection filtered in Wireshark.

Shown above:  XLoader persistent on the infected Windows host.
Click here to return to the main page.
