MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XFilesStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0
SHA3-384 hash: 28e00becb9cccf1176f32f1bd64e2f64daf13fdd5984eb8c830e6ef694e9cdfd564d99f4041222c83074f77fec388d8b
SHA1 hash: 67551bc2cd84ddca9426816b7f334e8ab72b7113
MD5 hash: 69d71cf9af28c732b1cf0f53a141b774
humanhash: lion-lima-bluebird-golf
File name:69d71cf9af28c732b1cf0f53a141b774
Download: download sample
Signature XFilesStealer
Create hunting rule
File size:108'032 bytes
First seen:2022-06-10 12:54:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:HwBb7zBzfJ82ZXCZvau97Dd3UYsDyoSX4x5zd9TkMdE5a0uCtUdCG+0z6kFC1QA:Sb3BfC2ZXCvau8YCyczd9BSLG+09jA
Threatray 247 similar samples on MalwareBazaar
TLSH T1C7B32B82312F4D6AD3D2933620D73227D9467DE1E291EED4A46815F70BF329DE8C6362
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e8942100802194e8 (1 x XFilesStealer)
Reporter zbetcheckin
Tags:exe XFilesStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
69d71cf9af28c732b1cf0f53a141b774
Verdict:
No threats detected
Analysis date:
2022-06-10 13:44:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4131d4e9-c56e-4467-a17f-d15b60f6c6b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278679/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.13825.4568.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Forced system process termination
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62a33f298763ffd4adacdfa1/reports/0c973cbe-3e54-441b-bce3-f26afc3b0ed8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f8f3cbf-2920-4a30-8ab7-6fbc8aa9e149
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1010833
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-06-10 12:55:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
8
AV detection:
11 of 26 (42.31%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcdzrhiwrymga27roxo3dkb6nss267vsxs6wbprx44u6zuflroya._file
Verdict:
unknown
Similar samples:
0dda8ee1b2c7ef43c297140d4a2f5fe099c8cd95da67a0d629c5c93f8f4e5c10
XFilesStealer
121b6dad90e595649055bbf49c7908ec6158b6f276c51e03a1f3492335ec6b43
XFilesStealer
60bc83d86c495e11d556ff933414008ed8228d9c2060fc18e230dea899e46edf
XFilesStealer
6bf3a10671251c27956a1e4003110e1af36bf83f7a7607dd87c61419aa3f786a
XFilesStealer
82975f550f2188cb4476f4a217233594384d29d6736b56d47131146145251c7a
XFilesStealer
b1c44efc8a0822c7c6949ee3ce9f6629893abf9a59dbfbfbf888a627c4f348e9
XFilesStealer
b79585519703d2f90872de1698c5b9bf03dd63ff3d63897da2f5af3e26af076c
XFilesStealer
d305689297d694f0f9402450523a468608f35d4f9058cfcaef63230a54d65f59
XFilesStealer
e45ea9f5349a46d088a2e2ae48bdb9fe83df9d34b30ea961f8af801fa250e00c
XFilesStealer
e6a50d3b91eaa5c64ad45cf6798720b270fb872c32153b193ea47881c99ffbc1
XFilesStealer
+ 237 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220610-p5rv5sffc8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0
MD5 hash:
69d71cf9af28c732b1cf0f53a141b774
SHA1 hash:
67551bc2cd84ddca9426816b7f334e8ab72b7113
Link:
https://www.unpac.me/results/a0622c96-1284-45fa-87bd-34cfd73ee202/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XFilesStealer

Executable exe 1887989d168e18606bf175ddb1a83e6ca5af7eb2bcbd60be37e729ecd0ab8bb0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/278679/
  
URLhaus
https://urlhaus.abuse.ch/url/2232785/
  
URLhaus
https://urlhaus.abuse.ch/url/2233009/

Comments


Avatar
zbet commented on 2022-06-10 12:54:54 UTC

url : hxxp://nkai.xyz/VideoLAN.exe