Malware-Traffic-Analysis.net - 2026-04-13: XLoader (Formbook) Infection

2026-04-13 (MONDAY): XLOADER (FORMBOOK) INFECTION

NOTES:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2026-04-13-IOCs-from-XLoader-infection.txt.zip 1.3 kB (1,314 bytes)
2026-04-13-XLoader-files.zip 5.5 MB (5,471,811 bytes)
2026-04-13-XLoader-infection-traffic.pcap.zip 7.1 MB (7,144,871 bytes)

2026-04-13 (MONDAY): XLOADER (FORMBOOK) FROM EMAIL ATTACHMENT

SELECT EMAIL HEADERS/INFO:

- Received: from vilomrin.com (vilomrin[.]com [185.117[.]90.2])
	by [information removed]; Mon, 13 Apr 2026 15:46:22 +0200 (CEST)
- Date: Mon, 13 Apr 2026 14:17:29 +0100
- From: Makandjou SALIFOU 
- Subject: Quotation Reconfirmation Request 10849013/04.26
- Attachment filename: RFQ #10849013.7z

ATTACHMENT:

- SHA256 hash: 6e6eec005d21335366a91f6d53dd1a82a0558b870121ca124d02754fd96a3c3f
- File size: 1,402,182 bytes
- File name: RFQ #10849013.7z
- File type: RAR archive data, v5

EXTRACTED MALWARE:

- SHA256 hash: 9297af5f66486d11540f15b44d4b6beec6ff89dbc4dcdee898db9a7daaa76085
- File size: 2,064,350 bytes
- File name: RFQ #10849013.js
- File type: ASCII text, with very long lines, with no line terminators
- File description: Text-based script file for XLoader (Formbook)

FILE DROPPED AND DELETED DURING THE INFECTION:

- SHA256 hash: 8e60280c59b760a2e8c88d51e9fc8cb68c9ebe55b15106bd127cfdabab740bfc
- File size: 1,500,777 bytes
- File location: C:\Temp\ps_NeHt4dsB3IS3_1776200612713.ps1
- File type: ASCII text, with CRLF, LF line terminators
- File description: PowerShell script file for XLoader (Formbook)

29 DOMAINS SEEN IN POST-INFECTION TRAFFIC:

- www.3700421[.]xyz
- www.aistero[.]store
- www.aitutoring[.]vip
- www.brockenbow[.]com
- www.cinella[.]life
- www.f6731[.]com
- www.gradlist[.]ru
- www.helpierus[.]ru
- www.istrakabiinw[.]info
- www.kanui[.]com[.]br
- www.kelimemaster[.]com[.]tr
- www.optickjawabarat[.]online
- www.pechimag-ekb[.]ru
- www.pevnenko[.]tech
- www.scbcgm[.]com
- www.simonidapure[.]net
- www.smarte3info[.]fr
- www.smartfavesden[.]shop
- www.sololevelingshop[.]co[.]uk
- www.sqws-adguard[.]co[.]in
- www.sy-idea[.]com
- www.thesisclaw[.]xyz
- www.tradox[.]rest
- www.troitt[.]com
- www.trylegbots[.]com
- www.vianovamobility[.]shop
- www.vk-mellstroy[.]online
- www.von-tors[.]ru
- www.x5js8[.]click

IMAGES

Shown above: Screenshot of the email distributing the XLoader (Formbook) malware.

Shown above: Attached archive and the malicious file contained within it.

Shown above: PowerShell script file dropped and deleted during the infection.

Shown above: XLoader (Formbook) infection traffic filtered in Wireshark.

Click here to return to the main page.