MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15e2f966937440c34a383f8a2df6fa8b380fbc858b7560e3129f563296e17fbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15e2f966937440c34a383f8a2df6fa8b380fbc858b7560e3129f563296e17fbb
SHA3-384 hash: 7af0388a588d99a22d2d08fea3279a7e41af07fe1da621a0ab62958992c57d5812a001b9e67030a8c5a91722808dc34b
SHA1 hash: fc8df7cb950034963d9f658d481c9ffb88bc9c75
MD5 hash: 26ed0fe0f7c70df9e9f1f37d26f79c5b
humanhash: aspen-july-kitten-harry
File name:26ed0fe0f7c70df9e9f1f37d26f79c5b
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:136'192 bytes
First seen:2022-06-08 05:58:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:2GL9IPDwsdPCLxmeLV0HLk8bgAp+hcx21NFBRgwS5wcReUe/saW4NECeeeedeeex:2Z9BuWYKpgj1HcixN1RtO
Threatray 2'996 similar samples on MalwareBazaar
TLSH T154D31A2BA74B59D7C1A44638C4A7C3740262EE6219708D0B3FDC3E9FBD3A3442957A5D
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 71ccccb3b3cccc71 (3 x XFilesStealer, 2 x Metasploit)
Reporter zbetcheckin
Tags:exe XFilesStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
26ed0fe0f7c70df9e9f1f37d26f79c5b
Verdict:
No threats detected
Analysis date:
2022-06-08 06:01:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa780276-d1bf-4a28-8730-da669d4a6ebb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/277616/
Detection(s):
Win.Malware.Msilzilla-9951127-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated update.exe wacatac
Link:
https://www.filescan.io/uploads/62a03aa75dc88d35716aab6e/reports/0dae9874-eee3-4cb6-8896-0f48a094fbec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVEMARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b944ded6-e2b4-4c01-a4b5-ea49eb36807f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1008742
Signature
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15e2f966937440c34a383f8a2df6fa8b380fbc858b7560e3129f563296e17fbb/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-06-07 22:23:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
19
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxrpszutoramgsryh6fc35x2rm4a7pefrn2wbyyst5ldffxbp65q._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f
XFilesStealer
33ad97412d0ea51dd14c970ea67a92b237b28de04add5ecc3f64f9696fb3ed1c
XFilesStealer
770baec4d4ea7b2b87c117cf09c9b5b3263e827b8d449b35a35a9e03aac6d362
XFilesStealer
81f87505081c9fae48db9fc5098b1799c95b92ce2f0094fc69885a176651775b
XFilesStealer
989d751b53b8c3d3d57111fe727904298f8723cab3b656db6da4bacfd9a2ed18
XFilesStealer
9ec8fb4ace7504bd52aedc9f4ff87af83e90b6db1a4642eedde78ff612e1e25f
XFilesStealer
aacb32e6d8717a1aa7836996f0b6388bffba81978d0d4753cc69c0c56d9beb47
XFilesStealer
c9aa37b14d02530c430923c6f758158f1116109efad42f3cbd2eb965aa1c3b1f
XFilesStealer
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
XFilesStealer
+ 2'986 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220608-gprlfacdfm/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
15e2f966937440c34a383f8a2df6fa8b380fbc858b7560e3129f563296e17fbb
MD5 hash:
26ed0fe0f7c70df9e9f1f37d26f79c5b
SHA1 hash:
fc8df7cb950034963d9f658d481c9ffb88bc9c75
Link:
https://www.unpac.me/results/1b06d966-d9b9-4c56-9c42-3bd21a30771f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15e2f9669374/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/15e2f966937440c34a383f8a2df6fa8b380fbc858b7560e3129f563296e17fbb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe 15e2f966937440c34a383f8a2df6fa8b380fbc858b7560e3129f563296e17fbb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2203952/
  
URLhaus
https://urlhaus.abuse.ch/url/2204693/
Cape
Cape
https://www.capesandbox.com/analysis/277616/

Comments


Avatar
zbet commented on 2022-06-08 05:58:29 UTC

url : hxxp://198.251.86.46/checkit2.exe