Technical Analysis of Xloader Versions 6 and 7

    Friday, February 14, 2025 In: Threat Research Print

    Date: 02/14/2025

    Severity: Medium

    Summary

    "Technical Analysis of Xloader Versions 6 and 7 | Part 2" examines the advanced obfuscation techniques used by Xloader versions 6 and 7 to conceal critical code and data. The malware continues to employ hardcoded decoy lists to blend malicious C2 traffic with legitimate website traffic. These decoy lists and the actual C2 server are encrypted using separate keys and algorithms. Both versions use the same network protocol and are secured by multiple layers of encryption.

    Indicators of Compromise (IOC) List

    URL/Domain

    www.iwin.exposed/ir6g/

    www.everycreation.shop/nsev/

    www.ok2yu.us/ir6g/

    www.zwetststuren.cfd/ir6g/

    www.fraternize.org/ir6g/

    www.mc9uh8d70.site/ir6g/

    www.scwspark.com/ir6g/

    www.royalkredit.online/ir6g/

    www.bkexclusivecars.net/ir6g/

    www.moncoop.coop/ir6g/

    www.tehranrizcomputer.com/ir6g/

    www.sazekents.cfd/ir6g/

    www.xediedie.icu/ir6g/

    www.eeja.uk/ir6g/

    www.mscfoundation.info/ir6g/

    www.brighterhomesdecor.com/ir6g/

    www.efidence.com/ir6g/

    www.tk254kr6rwr7mjtru.com/ir6g/

    www.haycoches.com/ir6g/

    www.electra-airways.info/ir6g/

    www.happiluv.com/ir6g/

    www.goog1evip15.com/ir6g/

    www.womenscalshion.com/ir6g/

    www.lenaguillemette.com/ir6g/

    www.jamesgadzikmd.com/ir6g/

    www.kavanzi.com/ir6g/

    www.tupinkeept.cfd/ir6g/

    www.portfutures.asia/ir6g/

    www.cgm-logistics.org/ir6g/

    www.dutch-wildlife.shop/ir6g/

    www.dsisarl.com/ir6g/

    www.haftplicht.com/ir6g/

    www.roundhaygardenscene.com/ir6g/

    www.alace5.com/ir6g/

    www.sathyfe.com/ir6g/

    www.electronicraw.com/ir6g/

    www.earn50k.com/ir6g/

    www.arasymimbi.com/ir6g/

    www.lriz.site/ir6g/

    www.pinnaclebyte.info/ir6g/

    www.avolci.com/ir6g/

    www.am8pw.us/ir6g/

    www.projectimprov.com/ir6g/

    www.energeticfranchise.top/ir6g/

    www.devocionmusic.com/ir6g/

    www.markthing.site/ir6g/

    www.myhosting.co.in/ir6g/

    www.solar-windturbine.life/ir6g/

    www.flusznwrldwide.com/ir6g/

    www.lifedrawingbristol.co.uk/ir6g/

    www.weberze.com/ir6g/

    www.getmylinks.cc/ir6g/

    www.aspasskeoffice.homes/ir6g/

    www.uxzl.site/ir6g/

    www.carpmaxxbait.online/ir6g/

    www.dumpstedoctorca.com/ir6g/

    www.revelationfithub.com/ir6g/

    www.cuffbow.com/ir6g/

    www.hk9.xyz/ir6g/

    www.lollybowly.com/ir6g/

    www.aarunifoodcrafters.com/ir6g/

    www.jarvisandbrown.com/ir6g/

    www.gattosat.icu/ir6g/

    www.xfgqbh.site/ir6g/

    www.mag-flex.com/ir6g/

    www.trisixnine.net/0057/

    www.softillery.info/cyhg/

    www.easestore.shop/qflp/

    www.yu35n.top/kejj/

    www.yourhomecopilot.online/gctn/

    www.fastr.live/gsjn/

    www.dto20.shop/efvy/

    www.aromavida.net/4rlw/

    www.crochetpets.online/vand/

    www.queima.shop/mdoj/

    www.nojamaica.net/g7eq/

    www.komart.shop/b2t1/

    www.livemarkat.live/8h0p/

    www.d27dm.top/ptbb/

    www.rtpgaruda888resmi.xyz/u8o7/

    www.chalet-tofane.net/3bhs/

    www.platinumkitchens.info/dquo/

    www.eslameldaramlly.site/nlx0/

    www.theproselytizer.net/od1n/

    www.amitayush.digital/93j5/

    www.030002304.xyz/d7z8/

    www.aaavvejibej.bond/lh0g/

    www.useanecdotenow.tech/vera/

    www.bayarcepat19.click/q1x3/

    www.bluegirls.blog/g1ze/

    www.wdeb18.top/kv48/

    www.weatherbook.live/tfj4/

    www.pachuco.supply/7gdu/

    www.childlesscatlady.today/2kmz/

    www.kabaribukota.press/nr90/

    www.federall.store/afqz/

    www.inf30027group23.xyz/xzfm/

    www.allthingsjasmin.com/pbmf/

    www.ntn.solar/fcmy/

    www.torex33.online/pvct/

    www.resumeyourway.info/vn92/

    www.kx507981.shop/q3r9/

    www.ohio-adr.net/j0y4/

    www.serverplay.live/6b8s/

    www.meg21c.top/3jg0/

    www.rockbull.pro/0tt2/

    www.trapkitten.website/y6hh/

    www.44ddw.top/3e3b/

    www.ngmr.xyz/4muf/

    www.sansensors.info/ip84/

    www.allsolar.xyz/cph9/

    www.bismarckrecovery.com/kp5k/

    www.vegastinyhomes.net/f2tm/

    www.airbatchnow.online/ekgk/

    www.huemanstudio.today/0ob6/

    www.rtpngk.xyz/yd3l/

    www.mechecker.life/b6h1/

    www.lojashelp.video/ao78/

    www.tracy.club/rwcg/

    www.limitlesssky.org/50p5/

    www.luismoreno.monster/06xo/

    www.dhkatp.vip/4qrw/

    www.hentaistgma.net/j6o1/

    www.promasterev.shop/zjp0/

    www.pethut.shop/wrhe/

    www.polarmuseum.info/m8hf/

    www.greekhause.org/tn42/

    www.wdcb30.top/s7v2/

    Hash

    66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9

88909cd27a422da91a651e87f493d16beff1f0e03adcc035f2835a2a25e871e7

4ad101eef336dc2467ffaf584b272aa82f26711bfba4e2e29e8ad7c6d62bc6ae

362207c53645346df6f36cf3f7792e5fc4655895b35a6e3477e218e0e0007be9

b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "www.iwin.exposed/ir6g/" or url like "www.iwin.exposed/ir6g/" or userdomainname like "www.everycreation.shop/nsev/" or url like "www.everycreation.shop/nsev/" or userdomainname like "www.ok2yu.us/ir6g/" or url like "www.ok2yu.us/ir6g/" or userdomainname like "www.zwetststuren.cfd/ir6g/" or url like "www.zwetststuren.cfd/ir6g/" or userdomainname like "www.fraternize.org/ir6g/" or url like "www.fraternize.org/ir6g/" or userdomainname like "www.mc9uh8d70.site/ir6g/" or url like "www.mc9uh8d70.site/ir6g/" or userdomainname like "www.scwspark.com/ir6g/" or url like "www.scwspark.com/ir6g/" or userdomainname like "www.royalkredit.online/ir6g/" or url like "www.royalkredit.online/ir6g/" or userdomainname like "www.bkexclusivecars.net/ir6g/" or url like "www.bkexclusivecars.net/ir6g/" or userdomainname like "www.moncoop.coop/ir6g/" or url like "www.moncoop.coop/ir6g/" or userdomainname like "www.tehranrizcomputer.com/ir6g/" or url like "www.tehranrizcomputer.com/ir6g/" or userdomainname like "www.sazekents.cfd/ir6g/" or url like "www.sazekents.cfd/ir6g/" or userdomainname like "www.xediedie.icu/ir6g/" or url like "www.xediedie.icu/ir6g/" or userdomainname like "www.eeja.uk/ir6g/" or url like "www.eeja.uk/ir6g/" or userdomainname like "www.eeja.uk/ir6g/" or url like "www.eeja.uk/ir6g/" or userdomainname like "www.mscfoundation.info/ir6g/" or url like "www.mscfoundation.info/ir6g/" or userdomainname like "www.brighterhomesdecor.com/ir6g/" or url like "www.brighterhomesdecor.com/ir6g/" or userdomainname like "www.efidence.com/ir6g/" or url like "www.efidence.com/ir6g/" or userdomainname like "www.tk254kr6rwr7mjtru.com/ir6g/" or url like "www.tk254kr6rwr7mjtru.com/ir6g/" or userdomainname like "www.haycoches.com/ir6g/" or url like "www.haycoches.com/ir6g/" or userdomainname like "www.electra-airways.info/ir6g/" or url like "www.electra-airways.info/ir6g/" or userdomainname like "www.happiluv.com/ir6g/" or url like "www.happiluv.com/ir6g/" or userdomainname like "www.goog1evip15.com/ir6g/" or url like "www.goog1evip15.com/ir6g/" or userdomainname like "www.womenscalshion.com/ir6g/" or url like "www.womenscalshion.com/ir6g/" or userdomainname like "www.lenaguillemette.com/ir6g/" or url like "www.lenaguillemette.com/ir6g/" or userdomainname like "www.jamesgadzikmd.com/ir6g/" or url like "www.jamesgadzikmd.com/ir6g/" or userdomainname like "www.kavanzi.com/ir6g/" or url like "www.kavanzi.com/ir6g/" or userdomainname like "www.tupinkeept.cfd/ir6g/" or url like "www.tupinkeept.cfd/ir6g/" or userdominname like "www.portfutures.asia/ir6g/" or url like "www.portfutures.asia/ir6g/" or userdomainname like "www.cgm-logistics.org/ir6g/" or url like "www.cgm-logistics.org/ir6g/" or userdomainname like "www.dutch-wildlife.shop/ir6g/" or url like "www.dutch-wildlife.shop/ir6g/" or userdomainname like "www.dsisarl.com/ir6g/" or url like "www.dsisarl.com/ir6g/" or userdomainname like "www.haftplicht.com/ir6g/" or url like "www.haftplicht.com/ir6g/" or userdomainname like "www.roundhaygardenscene.com/ir6g/" or url like "www.roundhaygardenscene.com/ir6g/" or userdomainname like "www.alace5.com/ir6g/" or url like "www.alace5.com/ir6g/" or userdomainname like "www.sathyfe.com/ir6g/" or url like "www.sathyfe.com/ir6g/" or userdomainname like "www.electronicraw.com/ir6g/" or url like "www.electronicraw.com/ir6g/" or userdomainname like "www.earn50k.com/ir6g/" or url like "www.earn50k.com/ir6g/" or userdomainname like "www.arasymimbi.com/ir6g/" or url like "www.arasymimbi.com/ir6g/" or userdomainname like "www.lriz.site/ir6g/" or url like "www.lriz.site/ir6g/" or userdomainname like "www.pinnaclebyte.info/ir6g/" or url like "www.pinnaclebyte.info/ir6g/" or userdomainname like "www.avolci.com/ir6g/" or url like "www.avolci.com/ir6g/" or userdomainname like "www.am8pw.us/ir6g/" or url like "www.am8pw.us/ir6g/" or userdomainname like "www.projectimprov.com/ir6g/" or url like "www.projectimprov.com/ir6g/" or userdomainname like "www.energeticfranchise.top/ir6g/" or url like "www.energeticfranchise.top/ir6g/" or userdomainname like "www.devocionmusic.com/ir6g/" or url like "www.devocionmusic.com/ir6g/" or userdomainname like "www.markthing.site/ir6g/" or url like "www.markthing.site/ir6g/" or userdomainname like "www.myhosting.co.in/ir6g/" or url like "www.myhosting.co.in/ir6g/" or userdomainname like "www.solar-windturbine.life/ir6g/" or url like "www.solar-windturbine.life/ir6g/" or userdomainname like "www.flusznwrldwide.com/ir6g/" or url like "www.flusznwrldwide.com/ir6g/" or userdomainname like "www.lifedrawingbristol.co.uk/ir6g/" or url like "www.lifedrawingbristol.co.uk/ir6g/" or userdomainname like "www.weberze.com/ir6g/" or url like "www.weberze.com/ir6g/" or userdomainname like "www.getmylinks.cc/ir6g/" or userdomainname like "www.aspasskeoffice.homes/ir6g/" or url like "www.aspasskeoffice.homes/ir6g/"

    Detection Query 2

    		userdomainname like "www.uxzl.site/ir6g/" or url like "www.uxzl.site/ir6g/" or userdomainname like "www.carpmaxxbait.online/ir6g/" or url like "www.carpmaxxbait.online/ir6g/" or userdomainname like "www.dumpstedoctorca.com/ir6g/" or url like "www.dumpstedoctorca.com/ir6g/" or userdomainname like "www.revelationfithub.com/ir6g/" or url like "www.revelationfithub.com/ir6g/" or userdomainname like "www.cuffbow.com/ir6g/" or url like "www.cuffbow.com/ir6g/" or userdomainname like "www.hk9.xyz/ir6g/" or url like "www.hk9.xyz/ir6g/" or userdomainname like "www.lollybowly.com/ir6g/" or url like "www.lollybowly.com/ir6g/" or userdomainname like "www.aarunifoodcrafters.com/ir6g/" or url like "www.aarunifoodcrafters.com/ir6g/" or userdomainname like "www.jarvisandbrown.com/ir6g/" or url like "www.jarvisandbrown.com/ir6g/" or userdomainname like "www.gattosat.icu/ir6g/" or url like "www.gattosat.icu/ir6g/" or userdomainname like "www.xfgqbh.site/ir6g/" or url like "www.xfgqbh.site/ir6g/" or userdomainname like "www.mag-flex.com/ir6g/" or url like "www.mag-flex.com/ir6g/" or userdomainname like "www.trisixnine.net/0057/" or url like "www.trisixnine.net/0057/" or userdomainname like "www.softillery.info/cyhg/" or url like "www.softillery.info/cyhg/" or userdomainname like "www.easestore.shop/qflp/" or url like "www.easestore.shop/qflp/" or userdomainname like "www.yu35n.top/kejj/" or url like "www.yu35n.top/kejj/" or userdomainname like "www.yourhomecopilot.online/gctn/" or url like "www.yourhomecopilot.online/gctn/" or userdomainname like "www.fastr.live/gsjn/" or url like "www.fastr.live/gsjn/" or userdomainname like "www.dto20.shop/efvy/" or url like "www.dto20.shop/efvy/" or userdomainname like "www.aromavida.net/4rlw/" or url like "www.aromavida.net/4rlw/" or userdomainname like "www.crochetpets.online/vand/" or url like "www.crochetpets.online/vand/" or userdomainname like "www.queima.shop/mdoj/" or url like "www.queima.shop/mdoj/" or userdomainname like "www.nojamaica.net/g7eq/" or url like "www.nojamaica.net/g7eq/" or userdomainname like "www.komart.shop/b2t1/" or url like "www.komart.shop/b2t1/" or userdomainname like "www.livemarkat.live/8h0p/" or url like "www.livemarkat.live/8h0p/" or userdomainname like "www.d27dm.top/ptbb/" or url like "www.d27dm.top/ptbb/" or userdomainname like "www.rtpgaruda888resmi.xyz/u8o7/" or url like "www.rtpgaruda888resmi.xyz/u8o7/" or userdomainanme like "www.chalet-tofane.net/3bhs/" or url like "www.chalet-tofane.net/3bhs/" or userdomainname like "www.chalet-tofane.net/3bhs/" or url like "www.chalet-tofane.net/3bhs/" or userdomainname like "www.platinumkitchens.info/dquo/" or url like "www.platinumkitchens.info/dquo/" or userdomainname like "www.eslameldaramlly.site/nlx0/" or url like "www.eslameldaramlly.site/nlx0/" or userdomainname like "www.theproselytizer.net/od1n/" or url like "www.theproselytizer.net/od1n/" or userdomainname like "www.amitayush.digital/93j5/" or url like "www.amitayush.digital/93j5/" or userdomainname like "www.030002304.xyz/d7z8/" or url like "www.030002304.xyz/d7z8/" or userdomainname like "www.aaavvejibej.bond/lh0g/" or url like "www.aaavvejibej.bond/lh0g/" or userdomianname like "www.useanecdotenow.tech/vera/" or url like "www.useanecdotenow.tech/vera/" or userdomainname like "www.bayarcepat19.click/q1x3/" or url like "www.bayarcepat19.click/q1x3/" or userdomainname like "www.bluegirls.blog/g1ze/" or url like "www.bluegirls.blog/g1ze/" or userdomainname like "www.wdeb18.top/kv48/" or url like "www.wdeb18.top/kv48/" or userdomainname like "www.weatherbook.live/tfj4/" or url like "www.weatherbook.live/tfj4/" or userdomainname like "www.pachuco.supply/7gdu/" or url like "www.pachuco.supply/7gdu/" or userdomainname like "www.childlesscatlady.today/2kmz/" or url like "www.childlesscatlady.today/2kmz/" or userdomainname like "www.kabaribukota.press/nr90/" or url like "www.kabaribukota.press/nr90/" or userdomainname like "www.federall.store/afqz/" or url like "www.federall.store/afqz/" or userdomainname like "www.inf30027group23.xyz/xzfm/" or url like "www.inf30027group23.xyz/xzfm/" or userdomainname like "www.allthingsjasmin.com/pbmf/" or url like "www.allthingsjasmin.com/pbmf/" or userdomainname like "www.ntn.solar/fcmy/" or url like "www.ntn.solar/fcmy/" or userdomainname like "www.torex33.online/pvct/" or url like "www.torex33.online/pvct/" or userdomainname like "www.resumeyourway.info/vn92/" or url like "www.resumeyourway.info/vn92/" or userdomainname like "www.kx507981.shop/q3r9/" or url like "www.kx507981.shop/q3r9/" or userdomainname like "www.ohio-adr.net/j0y4/" or url like "www.ohio-adr.net/j0y4/" or userdomainname like "www.serverplay.live/6b8s/" or url like "www.serverplay.live/6b8s/" or userdomainname like "www.meg21c.top/3jg0/" or url like "www.meg21c.top/3jg0/" or userdomainname like "www.rockbull.pro/0tt2/" or url like "www.rockbull.pro/0tt2/" or userdomainname like "www.trapkitten.website/y6hh/" or url like "www.trapkitten.website/y6hh/" or userdomainname like "www.44ddw.top/3e3b/" or url like "www.44ddw.top/3e3b/" or userdomainname like "www.ngmr.xyz/4muf/" or url like "www.ngmr.xyz/4muf/" or userdomainname like "www.sansensors.info/ip84/" or url like "www.sansensors.info/ip84/" or userdomainname like "www.allsolar.xyz/cph9/" or url like "www.allsolar.xyz/cph9/" or userdomainanme like "www.bismarckrecovery.com/kp5k/" or url like "www.bismarckrecovery.com/kp5k/" or userdomainname like "www.vegastinyhomes.net/f2tm/" or url like "www.vegastinyhomes.net/f2tm/" or userdomainame like "www.airbatchnow.online/ekgk/" or url like "www.airbatchnow.online/ekgk/" or userdomainname like "www.huemanstudio.today/0ob6/" or url like "www.huemanstudio.today/0ob6/" or userdomainname like "www.rtpngk.xyz/yd3l/" or url like "www.rtpngk.xyz/yd3l/" or userdomainname like "www.mechecker.life/b6h1/" or url like "www.mechecker.life/b6h1/" or userdomainname like "www.lojashelp.video/ao78/" or url like "www.lojashelp.video/ao78/" or userdomainname like "www.tracy.club/rwcg/" or url like "www.tracy.club/rwcg/" or userdomainname like "www.limitlesssky.org/50p5/" or url like "www.limitlesssky.org/50p5/" or userdomainname like "www.luismoreno.monster/06xo/" or url like "www.luismoreno.monster/06xo/" or userdomainname like "www.dhkatp.vip/4qrw/" or url like "www.dhkatp.vip/4qrw/" or userdomainname like "www.hentaistgma.net/j6o1/" or url like "www.hentaistgma.net/j6o1/" or userdomainname like "www.promasterev.shop/zjp0/" or url like "www.promasterev.shop/zjp0/" or url like "www.promasterev.shop/zjp0/" or userdomainname like "www.pethut.shop/wrhe/" or url like "www.pethut.shop/wrhe/" or userdomainname like "www.polarmuseum.info/m8hf/" or url like "www.polarmuseum.info/m8hf/" or userdomainname like "www.greekhause.org/tn42/" or url like "www.greekhause.org/tn42/" or userdomainname like "www.wdcb30.top/s7v2/" or url like "www.wdcb30.top/s7v2/"

    Detection Query 3

    sha256hash IN ("66ebf028ab0f226b6e4c6b17cec00102b1255a4e59b6ae7b32b062a903135cc9","88909cd27a422da91a651e87f493d16beff1f0e03adcc035f2835a2a25e871e7","4ad101eef336dc2467ffaf584b272aa82f26711bfba4e2e29e8ad7c6d62bc6ae","362207c53645346df6f36cf3f7792e5fc4655895b35a6e3477e218e0e0007be9","b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca")

    Reference: 

    https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-2#indicators-of-compromise--iocs-


    Tags

    MalwareXloader

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.