2026-04-13: XLoader (Formbook) infection

2026-04-13: XLoader (Formbook) infection
嗯，用户让我总结一下这篇文章的内容，控制在100字以内，而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。首先，我需要仔细阅读文章内容，找出关键信息。文章主要讲的是XLoader（Formbook）恶意软件的感染情况。日期是2026年4月13日，星期一。邮件附件中包含了一个7z压缩包，里面有一个JavaScript文件和一个PowerShell脚本。这些文件被用来传播XLoader恶意软件。在感染过程中，恶意软件会下载并执行PowerShell脚本，然后删除这些文件。此外，感染后的网络流量涉及到29个不同的域名，这些域名可能用于后续的攻击活动。所以，总结的时候需要包括：XLoader通过邮件附件传播、附件中的恶意文件、PowerShell脚本的作用以及涉及的多个域名。接下来，我需要把这些信息浓缩到100字以内，并且保持语言简洁明了。确保不遗漏关键点：邮件来源、附件类型、恶意文件、PowerShell脚本以及相关域名数量。最后检查一下字数是否符合要求，并且确保描述准确无误。 </think> XLoader（Formbook）恶意软件通过电子邮件附件传播，附件包含RAR压缩包和JavaScript文件。感染过程中会下载并执行PowerShell脚本，随后删除相关文件。此次感染涉及29个可疑域名，并附有相关日志和网络流量数据供分析。 2026-4-14 21:30:0 Author: www.malware-traffic-analysis.net(查看原文) 阅读量:10 收藏

2026-04-13 (MONDAY): XLOADER (FORMBOOK) INFECTION

NOTES:

Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.

ASSOCIATED FILES:

2026-04-13-IOCs-from-XLoader-infection.txt.zip 1.3 kB (1,314 bytes)
2026-04-13-XLoader-files.zip 5.5 MB (5,471,811 bytes)
2026-04-13-XLoader-infection-traffic.pcap.zip 7.1 MB (7,144,871 bytes)

2026-04-13 (MONDAY): XLOADER (FORMBOOK) FROM EMAIL ATTACHMENT

SELECT EMAIL HEADERS/INFO:

- Received: from vilomrin.com (vilomrin[.]com [185.117[.]90.2])
	by [information removed]; Mon, 13 Apr 2026 15:46:22 +0200 (CEST)
- Date: Mon, 13 Apr 2026 14:17:29 +0100
- From: Makandjou SALIFOU 
- Subject: Quotation Reconfirmation Request 10849013/04.26
- Attachment filename: RFQ #10849013.7z

ATTACHMENT:

- SHA256 hash: 6e6eec005d21335366a91f6d53dd1a82a0558b870121ca124d02754fd96a3c3f
- File size: 1,402,182 bytes
- File name: RFQ #10849013.7z
- File type: RAR archive data, v5

EXTRACTED MALWARE:

- SHA256 hash: 9297af5f66486d11540f15b44d4b6beec6ff89dbc4dcdee898db9a7daaa76085
- File size: 2,064,350 bytes
- File name: RFQ #10849013.js
- File type: ASCII text, with very long lines, with no line terminators
- File description: Text-based script file for XLoader (Formbook)

FILE DROPPED AND DELETED DURING THE INFECTION:

- SHA256 hash: 8e60280c59b760a2e8c88d51e9fc8cb68c9ebe55b15106bd127cfdabab740bfc
- File size: 1,500,777 bytes
- File location: C:\Temp\ps_NeHt4dsB3IS3_1776200612713.ps1
- File type: ASCII text, with CRLF, LF line terminators
- File description: PowerShell script file for XLoader (Formbook)

29 DOMAINS SEEN IN POST-INFECTION TRAFFIC:

- www.3700421[.]xyz
- www.aistero[.]store
- www.aitutoring[.]vip
- www.brockenbow[.]com
- www.cinella[.]life
- www.f6731[.]com
- www.gradlist[.]ru
- www.helpierus[.]ru
- www.istrakabiinw[.]info
- www.kanui[.]com[.]br
- www.kelimemaster[.]com[.]tr
- www.optickjawabarat[.]online
- www.pechimag-ekb[.]ru
- www.pevnenko[.]tech
- www.scbcgm[.]com
- www.simonidapure[.]net
- www.smarte3info[.]fr
- www.smartfavesden[.]shop
- www.sololevelingshop[.]co[.]uk
- www.sqws-adguard[.]co[.]in
- www.sy-idea[.]com
- www.thesisclaw[.]xyz
- www.tradox[.]rest
- www.troitt[.]com
- www.trylegbots[.]com
- www.vianovamobility[.]shop
- www.vk-mellstroy[.]online
- www.von-tors[.]ru
- www.x5js8[.]click

IMAGES

Shown above: Screenshot of the email distributing the XLoader (Formbook) malware.

Shown above: Attached archive and the malicious file contained within it.

Shown above: PowerShell script file dropped and deleted during the infection.

Shown above: XLoader (Formbook) infection traffic filtered in Wireshark.

Click here to return to the main page.

文章来源: https://www.malware-traffic-analysis.net/2026/04/13/index.html
如有侵权请联系:admin#unsafe.sh