MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 030b845ceef6ad578d8209e51657c1e901b482338f9b510bc8516fce1acdea7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XFilesStealer

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments 1

SHA256 hash:	030b845ceef6ad578d8209e51657c1e901b482338f9b510bc8516fce1acdea7e
SHA3-384 hash:	a27cf5e360b21e7fec846146e9d76376116a1d0b0c908caf5e68613fc6e560b57206df5c5c6269c440fbddc3a5cdf06e
SHA1 hash:	ba068f958db6e8e24fee025482346f9568b9e615
MD5 hash:	ef060415090b4c1f3759c58d3cb1ed48
humanhash:	delta-mike-florida-lithium
File name:	ef060415090b4c1f3759c58d3cb1ed48
Download:	download sample
Signature	XFilesStealer Create hunting rule
File size:	5'540'352 bytes
First seen:	2022-07-21 06:46:14 UTC
Last seen:	2022-07-22 11:07:17 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	98304:ylOgqc/GyFPd0r20TxTTyEFBV4LYh4aybnysf/RCOsbYz5Ic0Ifh:T3c/5FPd060FTlVkYhVybys35l0I5
Threatray	1'956 similar samples on MalwareBazaar
TLSH	T1A346236672A3D5A9E0C04C7AEA0A71FAE9C33E79DCE395D32570BF2A317E121910D153
TrID	63.5% (.EXE) Win64 Executable (generic) (10523/12/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	2327272f6f676767 (3 x RedLineStealer, 1 x XFilesStealer, 1 x AsyncRAT)
Reporter	zbetcheckin
Tags:	exe XFilesStealer

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/293094/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.29547.13887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file

Enabling autorun

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62d8f6730e298a94f3e6e413/reports/ec51b65d-5a52-4cda-8c65-b8b1728fd2d2/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a270671e-6815-423f-a69d-d4f493b83e21

Result

Threat name:

Phoenix Miner

Detection:

malicious

Classification:

evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1038402

Signature

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Writes to foreign memory regions

Yara detected Phoenix Miner

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/030b845ceef6ad578d8209e51657c1e901b482338f9b510bc8516fce1acdea7e/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-07-21 06:47:17 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=amfyixho62wvpdmcbhsrmv6b5ea3jartr6nvcc6ikfx44gwn5j7a._file

Verdict:

malicious

XFilesStealer

82edebd73b6b366121ccf9b066f1a4d140aed527ce9058866fddfa1b7f884466

XFilesStealer

875269cba0d717c29317564f708525dee36154ec1884ab41c17285ddff910094

XFilesStealer

a0cfdb287a571e7585132886bc8a0ad8de4427eb4b2bad5e650d5921e4834e9e

XFilesStealer

b1fa69e98d91d174851b755a68c214073833e5ac20fdd64f45a61ff0c4a47ad8

XFilesStealer

c69decc448626e1aa6652d4a6e86899649eefd30190ff83d93f0daf36630e376

XFilesStealer

ce442fab80f616645429e47bededf88f2104476899a35952f70e1e31a21e734a

XFilesStealer

e1f0b80e829512170cf479a745a34334108357d4cda701e8be7c10190cb14618

XFilesStealer

ef5e11914dc0593327b1696d65668e32d8ef278310fb6913a74a54f992ef2b77

XFilesStealer

f8cf70d11e4c1620c8bf0edb1ef50d564e6d4b8a293c0948957059526b3ed6d6

XFilesStealer

+ 1'946 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/220721-hj7k5sdde9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

030b845ceef6ad578d8209e51657c1e901b482338f9b510bc8516fce1acdea7e

MD5 hash:

ef060415090b4c1f3759c58d3cb1ed48

SHA1 hash:

ba068f958db6e8e24fee025482346f9568b9e615

Link:

https://www.unpac.me/results/549ebfd6-4767-4f30-8098-5802406ee8a4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/030b845ceef6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/030b845ceef6ad578d8209e51657c1e901b482338f9b510bc8516fce1acdea7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.